mirror of
https://codeberg.org/anoncontributorxmr/monero.git
synced 2024-12-27 07:37:50 +00:00
a85b5759f3
These files were pulled from the 1.6.3 release tarball. This new version builds against OpenSSL version 1.1 which will be the default in the new Debian Stable which is due to be released RealSoonNow (tm).
3050 lines
82 KiB
C
3050 lines
82 KiB
C
/*
|
|
* daemon/remote.c - remote control for the unbound daemon.
|
|
*
|
|
* Copyright (c) 2008, NLnet Labs. All rights reserved.
|
|
*
|
|
* This software is open source.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* Redistributions of source code must retain the above copyright notice,
|
|
* this list of conditions and the following disclaimer.
|
|
*
|
|
* Redistributions in binary form must reproduce the above copyright notice,
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
* and/or other materials provided with the distribution.
|
|
*
|
|
* Neither the name of the NLNET LABS nor the names of its contributors may
|
|
* be used to endorse or promote products derived from this software without
|
|
* specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
|
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
/**
|
|
* \file
|
|
*
|
|
* This file contains the remote control functionality for the daemon.
|
|
* The remote control can be performed using either the commandline
|
|
* unbound-control tool, or a TLS capable web browser.
|
|
* The channel is secured using TLSv1, and certificates.
|
|
* Both the server and the client(control tool) have their own keys.
|
|
*/
|
|
#include "config.h"
|
|
#ifdef HAVE_OPENSSL_ERR_H
|
|
#include <openssl/err.h>
|
|
#endif
|
|
#ifdef HAVE_OPENSSL_DH_H
|
|
#include <openssl/dh.h>
|
|
#endif
|
|
#ifdef HAVE_OPENSSL_BN_H
|
|
#include <openssl/bn.h>
|
|
#endif
|
|
|
|
#include <ctype.h>
|
|
#include "daemon/remote.h"
|
|
#include "daemon/worker.h"
|
|
#include "daemon/daemon.h"
|
|
#include "daemon/stats.h"
|
|
#include "daemon/cachedump.h"
|
|
#include "util/log.h"
|
|
#include "util/config_file.h"
|
|
#include "util/net_help.h"
|
|
#include "util/module.h"
|
|
#include "services/listen_dnsport.h"
|
|
#include "services/cache/rrset.h"
|
|
#include "services/cache/infra.h"
|
|
#include "services/mesh.h"
|
|
#include "services/localzone.h"
|
|
#include "util/storage/slabhash.h"
|
|
#include "util/fptr_wlist.h"
|
|
#include "util/data/dname.h"
|
|
#include "validator/validator.h"
|
|
#include "validator/val_kcache.h"
|
|
#include "validator/val_kentry.h"
|
|
#include "validator/val_anchor.h"
|
|
#include "iterator/iterator.h"
|
|
#include "iterator/iter_fwd.h"
|
|
#include "iterator/iter_hints.h"
|
|
#include "iterator/iter_delegpt.h"
|
|
#include "services/outbound_list.h"
|
|
#include "services/outside_network.h"
|
|
#include "sldns/str2wire.h"
|
|
#include "sldns/parseutil.h"
|
|
#include "sldns/wire2str.h"
|
|
#include "sldns/sbuffer.h"
|
|
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
# include <sys/types.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_STAT_H
|
|
#include <sys/stat.h>
|
|
#endif
|
|
#ifdef HAVE_NETDB_H
|
|
#include <netdb.h>
|
|
#endif
|
|
|
|
/* just for portability */
|
|
#ifdef SQ
|
|
#undef SQ
|
|
#endif
|
|
|
|
/** what to put on statistics lines between var and value, ": " or "=" */
|
|
#define SQ "="
|
|
/** if true, inhibits a lot of =0 lines from the stats output */
|
|
static const int inhibit_zero = 1;
|
|
|
|
/** subtract timers and the values do not overflow or become negative */
|
|
static void
|
|
timeval_subtract(struct timeval* d, const struct timeval* end,
|
|
const struct timeval* start)
|
|
{
|
|
#ifndef S_SPLINT_S
|
|
time_t end_usec = end->tv_usec;
|
|
d->tv_sec = end->tv_sec - start->tv_sec;
|
|
if(end_usec < start->tv_usec) {
|
|
end_usec += 1000000;
|
|
d->tv_sec--;
|
|
}
|
|
d->tv_usec = end_usec - start->tv_usec;
|
|
#endif
|
|
}
|
|
|
|
/** divide sum of timers to get average */
|
|
static void
|
|
timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
|
|
{
|
|
#ifndef S_SPLINT_S
|
|
size_t leftover;
|
|
if(d == 0) {
|
|
avg->tv_sec = 0;
|
|
avg->tv_usec = 0;
|
|
return;
|
|
}
|
|
avg->tv_sec = sum->tv_sec / d;
|
|
avg->tv_usec = sum->tv_usec / d;
|
|
/* handle fraction from seconds divide */
|
|
leftover = sum->tv_sec - avg->tv_sec*d;
|
|
avg->tv_usec += (leftover*1000000)/d;
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* The following function was generated using the openssl utility, using
|
|
* the command : "openssl dhparam -C 2048"
|
|
* (some openssl versions reject DH that is 'too small', eg. 512).
|
|
*/
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
|
|
#ifndef S_SPLINT_S
|
|
static DH *get_dh2048(void)
|
|
{
|
|
static unsigned char dh2048_p[]={
|
|
0xE7,0x36,0x28,0x3B,0xE4,0xC3,0x32,0x1C,0x01,0xC3,0x67,0xD6,
|
|
0xF5,0xF3,0xDA,0xDC,0x71,0xC0,0x42,0x8B,0xE6,0xEB,0x8D,0x80,
|
|
0x35,0x7F,0x09,0x45,0x30,0xE5,0xB2,0x92,0x81,0x3F,0x08,0xCD,
|
|
0x36,0x5E,0x19,0x83,0x62,0xCC,0xAE,0x9B,0x81,0x66,0x24,0xEE,
|
|
0x16,0x6F,0xA9,0x9E,0xF4,0x82,0x1B,0xDD,0x46,0xC7,0x33,0x5D,
|
|
0xF4,0xCA,0xE6,0x8F,0xFC,0xD4,0xD8,0x58,0x94,0x24,0x5D,0xFF,
|
|
0x0A,0xE8,0xEF,0x3D,0xCE,0xBB,0x50,0x94,0xE0,0x5F,0xE8,0x41,
|
|
0xC3,0x35,0x30,0x37,0xD5,0xCB,0x8F,0x3D,0x95,0x15,0x1A,0x77,
|
|
0x42,0xB2,0x06,0x86,0xF6,0x09,0x66,0x0E,0x9A,0x25,0x94,0x3E,
|
|
0xD2,0x04,0x25,0x25,0x1D,0x23,0xEB,0xDC,0x4D,0x0C,0x83,0x28,
|
|
0x2E,0x15,0x81,0x2D,0xC1,0xAF,0x8D,0x36,0x64,0xE3,0x9A,0x83,
|
|
0x78,0xC2,0x8D,0xC0,0x9D,0xD9,0x3A,0x1C,0xC5,0x2B,0x50,0x68,
|
|
0x07,0xA9,0x4B,0x8C,0x07,0x57,0xD6,0x15,0x03,0x4E,0x9E,0x01,
|
|
0xF2,0x6F,0x35,0xAC,0x26,0x9C,0x92,0x68,0x61,0x13,0xFB,0x01,
|
|
0xBA,0x22,0x36,0x01,0x55,0xB6,0x62,0xD9,0xB2,0x98,0xCE,0x5D,
|
|
0x4B,0xA5,0x41,0xD6,0xE5,0x70,0x78,0x12,0x1F,0x64,0xB6,0x6F,
|
|
0xB0,0x91,0x51,0x91,0x92,0xC0,0x94,0x3A,0xD1,0x28,0x4D,0x30,
|
|
0x84,0x3E,0xE4,0xE4,0x7F,0x47,0x89,0xB1,0xB6,0x8C,0x8E,0x0E,
|
|
0x26,0xDB,0xCD,0x17,0x07,0x2A,0x21,0x7A,0xCC,0x68,0xE8,0x57,
|
|
0x94,0x9E,0x59,0x61,0xEC,0x20,0x34,0x26,0x0D,0x66,0x44,0xEB,
|
|
0x6F,0x02,0x58,0xE2,0xED,0xF6,0xF3,0x1B,0xBF,0x9E,0x45,0x52,
|
|
0x5A,0x49,0xA1,0x5B,
|
|
};
|
|
static unsigned char dh2048_g[]={
|
|
0x02,
|
|
};
|
|
DH *dh = NULL;
|
|
BIGNUM *p = NULL, *g = NULL;
|
|
|
|
dh = DH_new();
|
|
p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
|
|
g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
|
|
if (!dh || !p || !g)
|
|
goto err;
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
|
|
dh->p = p;
|
|
dh->g = g;
|
|
#else
|
|
if (!DH_set0_pqg(dh, p, NULL, g))
|
|
goto err;
|
|
#endif
|
|
return dh;
|
|
err:
|
|
if (p)
|
|
BN_free(p);
|
|
if (g)
|
|
BN_free(g);
|
|
if (dh)
|
|
DH_free(dh);
|
|
return NULL;
|
|
}
|
|
#endif /* SPLINT */
|
|
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
|
|
|
|
struct daemon_remote*
|
|
daemon_remote_create(struct config_file* cfg)
|
|
{
|
|
char* s_cert;
|
|
char* s_key;
|
|
struct daemon_remote* rc = (struct daemon_remote*)calloc(1,
|
|
sizeof(*rc));
|
|
if(!rc) {
|
|
log_err("out of memory in daemon_remote_create");
|
|
return NULL;
|
|
}
|
|
rc->max_active = 10;
|
|
|
|
if(!cfg->remote_control_enable) {
|
|
rc->ctx = NULL;
|
|
return rc;
|
|
}
|
|
rc->ctx = SSL_CTX_new(SSLv23_server_method());
|
|
if(!rc->ctx) {
|
|
log_crypto_err("could not SSL_CTX_new");
|
|
free(rc);
|
|
return NULL;
|
|
}
|
|
/* no SSLv2, SSLv3 because has defects */
|
|
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
|
|
!= SSL_OP_NO_SSLv2){
|
|
log_crypto_err("could not set SSL_OP_NO_SSLv2");
|
|
daemon_remote_delete(rc);
|
|
return NULL;
|
|
}
|
|
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
|
|
!= SSL_OP_NO_SSLv3){
|
|
log_crypto_err("could not set SSL_OP_NO_SSLv3");
|
|
daemon_remote_delete(rc);
|
|
return NULL;
|
|
}
|
|
#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
|
|
/* if we have tls 1.1 disable 1.0 */
|
|
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
|
|
!= SSL_OP_NO_TLSv1){
|
|
log_crypto_err("could not set SSL_OP_NO_TLSv1");
|
|
daemon_remote_delete(rc);
|
|
return NULL;
|
|
}
|
|
#endif
|
|
#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
|
|
/* if we have tls 1.2 disable 1.1 */
|
|
if((SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
|
|
!= SSL_OP_NO_TLSv1_1){
|
|
log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
|
|
daemon_remote_delete(rc);
|
|
return NULL;
|
|
}
|
|
#endif
|
|
#ifdef SHA256_DIGEST_LENGTH
|
|
/* if we have sha256, set the cipher list to have no known vulns */
|
|
if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
|
|
log_crypto_err("coult not set cipher list with SSL_CTX_set_cipher_list");
|
|
#endif
|
|
|
|
if (cfg->remote_control_use_cert == 0) {
|
|
/* No certificates are requested */
|
|
#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
|
|
SSL_CTX_set_security_level(rc->ctx, 0);
|
|
#endif
|
|
if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL, eNULL")) {
|
|
log_crypto_err("Failed to set aNULL cipher list");
|
|
daemon_remote_delete(rc);
|
|
return NULL;
|
|
}
|
|
|
|
/* in openssl 1.1, the securitylevel 0 allows eNULL, that
|
|
* does not need the DH */
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
|
|
/* Since we have no certificates and hence no source of
|
|
* DH params, let's generate and set them
|
|
*/
|
|
if(!SSL_CTX_set_tmp_dh(rc->ctx,get_dh2048())) {
|
|
log_crypto_err("Wanted to set DH param, but failed");
|
|
daemon_remote_delete(rc);
|
|
return NULL;
|
|
}
|
|
#endif
|
|
return rc;
|
|
}
|
|
rc->use_cert = 1;
|
|
s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
|
|
s_key = fname_after_chroot(cfg->server_key_file, cfg, 1);
|
|
if(!s_cert || !s_key) {
|
|
log_err("out of memory in remote control fname");
|
|
goto setup_error;
|
|
}
|
|
verbose(VERB_ALGO, "setup SSL certificates");
|
|
if (!SSL_CTX_use_certificate_chain_file(rc->ctx,s_cert)) {
|
|
log_err("Error for server-cert-file: %s", s_cert);
|
|
log_crypto_err("Error in SSL_CTX use_certificate_chain_file");
|
|
goto setup_error;
|
|
}
|
|
if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
|
|
log_err("Error for server-key-file: %s", s_key);
|
|
log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
|
|
goto setup_error;
|
|
}
|
|
if(!SSL_CTX_check_private_key(rc->ctx)) {
|
|
log_err("Error for server-key-file: %s", s_key);
|
|
log_crypto_err("Error in SSL_CTX check_private_key");
|
|
goto setup_error;
|
|
}
|
|
#if HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
|
|
if(!SSL_CTX_set_ecdh_auto(rc->ctx,1)) {
|
|
log_crypto_err("Error in SSL_CTX_ecdh_auto, not enabling ECDHE");
|
|
}
|
|
#elif defined(USE_ECDSA)
|
|
if(1) {
|
|
EC_KEY *ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
|
|
if (!ecdh) {
|
|
log_crypto_err("could not find p256, not enabling ECDHE");
|
|
} else {
|
|
if (1 != SSL_CTX_set_tmp_ecdh (rc->ctx, ecdh)) {
|
|
log_crypto_err("Error in SSL_CTX_set_tmp_ecdh, not enabling ECDHE");
|
|
}
|
|
EC_KEY_free (ecdh);
|
|
}
|
|
}
|
|
#endif
|
|
if(!SSL_CTX_load_verify_locations(rc->ctx, s_cert, NULL)) {
|
|
log_crypto_err("Error setting up SSL_CTX verify locations");
|
|
setup_error:
|
|
free(s_cert);
|
|
free(s_key);
|
|
daemon_remote_delete(rc);
|
|
return NULL;
|
|
}
|
|
SSL_CTX_set_client_CA_list(rc->ctx, SSL_load_client_CA_file(s_cert));
|
|
SSL_CTX_set_verify(rc->ctx, SSL_VERIFY_PEER, NULL);
|
|
free(s_cert);
|
|
free(s_key);
|
|
|
|
return rc;
|
|
}
|
|
|
|
void daemon_remote_clear(struct daemon_remote* rc)
|
|
{
|
|
struct rc_state* p, *np;
|
|
if(!rc) return;
|
|
/* but do not close the ports */
|
|
listen_list_delete(rc->accept_list);
|
|
rc->accept_list = NULL;
|
|
/* do close these sockets */
|
|
p = rc->busy_list;
|
|
while(p) {
|
|
np = p->next;
|
|
if(p->ssl)
|
|
SSL_free(p->ssl);
|
|
comm_point_delete(p->c);
|
|
free(p);
|
|
p = np;
|
|
}
|
|
rc->busy_list = NULL;
|
|
rc->active = 0;
|
|
rc->worker = NULL;
|
|
}
|
|
|
|
void daemon_remote_delete(struct daemon_remote* rc)
|
|
{
|
|
if(!rc) return;
|
|
daemon_remote_clear(rc);
|
|
if(rc->ctx) {
|
|
SSL_CTX_free(rc->ctx);
|
|
}
|
|
free(rc);
|
|
}
|
|
|
|
/**
|
|
* Add and open a new control port
|
|
* @param ip: ip str
|
|
* @param nr: port nr
|
|
* @param list: list head
|
|
* @param noproto_is_err: if lack of protocol support is an error.
|
|
* @param cfg: config with username for chown of unix-sockets.
|
|
* @return false on failure.
|
|
*/
|
|
static int
|
|
add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
|
|
struct config_file* cfg)
|
|
{
|
|
struct addrinfo hints;
|
|
struct addrinfo* res;
|
|
struct listen_port* n;
|
|
int noproto;
|
|
int fd, r;
|
|
char port[15];
|
|
snprintf(port, sizeof(port), "%d", nr);
|
|
port[sizeof(port)-1]=0;
|
|
memset(&hints, 0, sizeof(hints));
|
|
|
|
if(ip[0] == '/') {
|
|
/* This looks like a local socket */
|
|
fd = create_local_accept_sock(ip, &noproto, cfg->use_systemd);
|
|
/*
|
|
* Change socket ownership and permissions so users other
|
|
* than root can access it provided they are in the same
|
|
* group as the user we run as.
|
|
*/
|
|
if(fd != -1) {
|
|
#ifdef HAVE_CHOWN
|
|
if (cfg->username && cfg->username[0] &&
|
|
cfg_uid != (uid_t)-1) {
|
|
if(chown(ip, cfg_uid, cfg_gid) == -1)
|
|
log_err("cannot chown %u.%u %s: %s",
|
|
(unsigned)cfg_uid, (unsigned)cfg_gid,
|
|
ip, strerror(errno));
|
|
}
|
|
chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
|
|
#else
|
|
(void)cfg;
|
|
#endif
|
|
}
|
|
} else {
|
|
hints.ai_socktype = SOCK_STREAM;
|
|
hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
|
|
if((r = getaddrinfo(ip, port, &hints, &res)) != 0 || !res) {
|
|
#ifdef USE_WINSOCK
|
|
if(!noproto_is_err && r == EAI_NONAME) {
|
|
/* tried to lookup the address as name */
|
|
return 1; /* return success, but do nothing */
|
|
}
|
|
#endif /* USE_WINSOCK */
|
|
log_err("control interface %s:%s getaddrinfo: %s %s",
|
|
ip?ip:"default", port, gai_strerror(r),
|
|
#ifdef EAI_SYSTEM
|
|
r==EAI_SYSTEM?(char*)strerror(errno):""
|
|
#else
|
|
""
|
|
#endif
|
|
);
|
|
return 0;
|
|
}
|
|
|
|
/* open fd */
|
|
fd = create_tcp_accept_sock(res, 1, &noproto, 0,
|
|
cfg->ip_transparent, 0, cfg->ip_freebind, cfg->use_systemd);
|
|
freeaddrinfo(res);
|
|
}
|
|
|
|
if(fd == -1 && noproto) {
|
|
if(!noproto_is_err)
|
|
return 1; /* return success, but do nothing */
|
|
log_err("cannot open control interface %s %d : "
|
|
"protocol not supported", ip, nr);
|
|
return 0;
|
|
}
|
|
if(fd == -1) {
|
|
log_err("cannot open control interface %s %d", ip, nr);
|
|
return 0;
|
|
}
|
|
|
|
/* alloc */
|
|
n = (struct listen_port*)calloc(1, sizeof(*n));
|
|
if(!n) {
|
|
#ifndef USE_WINSOCK
|
|
close(fd);
|
|
#else
|
|
closesocket(fd);
|
|
#endif
|
|
log_err("out of memory");
|
|
return 0;
|
|
}
|
|
n->next = *list;
|
|
*list = n;
|
|
n->fd = fd;
|
|
return 1;
|
|
}
|
|
|
|
struct listen_port* daemon_remote_open_ports(struct config_file* cfg)
|
|
{
|
|
struct listen_port* l = NULL;
|
|
log_assert(cfg->remote_control_enable && cfg->control_port);
|
|
if(cfg->control_ifs) {
|
|
struct config_strlist* p;
|
|
for(p = cfg->control_ifs; p; p = p->next) {
|
|
if(!add_open(p->str, cfg->control_port, &l, 1, cfg)) {
|
|
listening_ports_free(l);
|
|
return NULL;
|
|
}
|
|
}
|
|
} else {
|
|
/* defaults */
|
|
if(cfg->do_ip6 &&
|
|
!add_open("::1", cfg->control_port, &l, 0, cfg)) {
|
|
listening_ports_free(l);
|
|
return NULL;
|
|
}
|
|
if(cfg->do_ip4 &&
|
|
!add_open("127.0.0.1", cfg->control_port, &l, 1, cfg)) {
|
|
listening_ports_free(l);
|
|
return NULL;
|
|
}
|
|
}
|
|
return l;
|
|
}
|
|
|
|
/** open accept commpoint */
|
|
static int
|
|
accept_open(struct daemon_remote* rc, int fd)
|
|
{
|
|
struct listen_list* n = (struct listen_list*)malloc(sizeof(*n));
|
|
if(!n) {
|
|
log_err("out of memory");
|
|
return 0;
|
|
}
|
|
n->next = rc->accept_list;
|
|
rc->accept_list = n;
|
|
/* open commpt */
|
|
n->com = comm_point_create_raw(rc->worker->base, fd, 0,
|
|
&remote_accept_callback, rc);
|
|
if(!n->com)
|
|
return 0;
|
|
/* keep this port open, its fd is kept in the rc portlist */
|
|
n->com->do_not_close = 1;
|
|
return 1;
|
|
}
|
|
|
|
int daemon_remote_open_accept(struct daemon_remote* rc,
|
|
struct listen_port* ports, struct worker* worker)
|
|
{
|
|
struct listen_port* p;
|
|
rc->worker = worker;
|
|
for(p = ports; p; p = p->next) {
|
|
if(!accept_open(rc, p->fd)) {
|
|
log_err("could not create accept comm point");
|
|
return 0;
|
|
}
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
void daemon_remote_stop_accept(struct daemon_remote* rc)
|
|
{
|
|
struct listen_list* p;
|
|
for(p=rc->accept_list; p; p=p->next) {
|
|
comm_point_stop_listening(p->com);
|
|
}
|
|
}
|
|
|
|
void daemon_remote_start_accept(struct daemon_remote* rc)
|
|
{
|
|
struct listen_list* p;
|
|
for(p=rc->accept_list; p; p=p->next) {
|
|
comm_point_start_listening(p->com, -1, -1);
|
|
}
|
|
}
|
|
|
|
int remote_accept_callback(struct comm_point* c, void* arg, int err,
|
|
struct comm_reply* ATTR_UNUSED(rep))
|
|
{
|
|
struct daemon_remote* rc = (struct daemon_remote*)arg;
|
|
struct sockaddr_storage addr;
|
|
socklen_t addrlen;
|
|
int newfd;
|
|
struct rc_state* n;
|
|
if(err != NETEVENT_NOERROR) {
|
|
log_err("error %d on remote_accept_callback", err);
|
|
return 0;
|
|
}
|
|
/* perform the accept */
|
|
newfd = comm_point_perform_accept(c, &addr, &addrlen);
|
|
if(newfd == -1)
|
|
return 0;
|
|
/* create new commpoint unless we are servicing already */
|
|
if(rc->active >= rc->max_active) {
|
|
log_warn("drop incoming remote control: too many connections");
|
|
close_exit:
|
|
#ifndef USE_WINSOCK
|
|
close(newfd);
|
|
#else
|
|
closesocket(newfd);
|
|
#endif
|
|
return 0;
|
|
}
|
|
|
|
/* setup commpoint to service the remote control command */
|
|
n = (struct rc_state*)calloc(1, sizeof(*n));
|
|
if(!n) {
|
|
log_err("out of memory");
|
|
goto close_exit;
|
|
}
|
|
/* start in reading state */
|
|
n->c = comm_point_create_raw(rc->worker->base, newfd, 0,
|
|
&remote_control_callback, n);
|
|
if(!n->c) {
|
|
log_err("out of memory");
|
|
free(n);
|
|
goto close_exit;
|
|
}
|
|
log_addr(VERB_QUERY, "new control connection from", &addr, addrlen);
|
|
n->c->do_not_close = 0;
|
|
comm_point_stop_listening(n->c);
|
|
comm_point_start_listening(n->c, -1, REMOTE_CONTROL_TCP_TIMEOUT);
|
|
memcpy(&n->c->repinfo.addr, &addr, addrlen);
|
|
n->c->repinfo.addrlen = addrlen;
|
|
n->shake_state = rc_hs_read;
|
|
n->ssl = SSL_new(rc->ctx);
|
|
if(!n->ssl) {
|
|
log_crypto_err("could not SSL_new");
|
|
comm_point_delete(n->c);
|
|
free(n);
|
|
goto close_exit;
|
|
}
|
|
SSL_set_accept_state(n->ssl);
|
|
(void)SSL_set_mode(n->ssl, SSL_MODE_AUTO_RETRY);
|
|
if(!SSL_set_fd(n->ssl, newfd)) {
|
|
log_crypto_err("could not SSL_set_fd");
|
|
SSL_free(n->ssl);
|
|
comm_point_delete(n->c);
|
|
free(n);
|
|
goto close_exit;
|
|
}
|
|
|
|
n->rc = rc;
|
|
n->next = rc->busy_list;
|
|
rc->busy_list = n;
|
|
rc->active ++;
|
|
|
|
/* perform the first nonblocking read already, for windows,
|
|
* so it can return wouldblock. could be faster too. */
|
|
(void)remote_control_callback(n->c, n, NETEVENT_NOERROR, NULL);
|
|
return 0;
|
|
}
|
|
|
|
/** delete from list */
|
|
static void
|
|
state_list_remove_elem(struct rc_state** list, struct comm_point* c)
|
|
{
|
|
while(*list) {
|
|
if( (*list)->c == c) {
|
|
*list = (*list)->next;
|
|
return;
|
|
}
|
|
list = &(*list)->next;
|
|
}
|
|
}
|
|
|
|
/** decrease active count and remove commpoint from busy list */
|
|
static void
|
|
clean_point(struct daemon_remote* rc, struct rc_state* s)
|
|
{
|
|
state_list_remove_elem(&rc->busy_list, s->c);
|
|
rc->active --;
|
|
if(s->ssl) {
|
|
SSL_shutdown(s->ssl);
|
|
SSL_free(s->ssl);
|
|
}
|
|
comm_point_delete(s->c);
|
|
free(s);
|
|
}
|
|
|
|
int
|
|
ssl_print_text(SSL* ssl, const char* text)
|
|
{
|
|
int r;
|
|
if(!ssl)
|
|
return 0;
|
|
ERR_clear_error();
|
|
if((r=SSL_write(ssl, text, (int)strlen(text))) <= 0) {
|
|
if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
|
|
verbose(VERB_QUERY, "warning, in SSL_write, peer "
|
|
"closed connection");
|
|
return 0;
|
|
}
|
|
log_crypto_err("could not SSL_write");
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** print text over the ssl connection */
|
|
static int
|
|
ssl_print_vmsg(SSL* ssl, const char* format, va_list args)
|
|
{
|
|
char msg[1024];
|
|
vsnprintf(msg, sizeof(msg), format, args);
|
|
return ssl_print_text(ssl, msg);
|
|
}
|
|
|
|
/** printf style printing to the ssl connection */
|
|
int ssl_printf(SSL* ssl, const char* format, ...)
|
|
{
|
|
va_list args;
|
|
int ret;
|
|
va_start(args, format);
|
|
ret = ssl_print_vmsg(ssl, format, args);
|
|
va_end(args);
|
|
return ret;
|
|
}
|
|
|
|
int
|
|
ssl_read_line(SSL* ssl, char* buf, size_t max)
|
|
{
|
|
int r;
|
|
size_t len = 0;
|
|
if(!ssl)
|
|
return 0;
|
|
while(len < max) {
|
|
ERR_clear_error();
|
|
if((r=SSL_read(ssl, buf+len, 1)) <= 0) {
|
|
if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN) {
|
|
buf[len] = 0;
|
|
return 1;
|
|
}
|
|
log_crypto_err("could not SSL_read");
|
|
return 0;
|
|
}
|
|
if(buf[len] == '\n') {
|
|
/* return string without \n */
|
|
buf[len] = 0;
|
|
return 1;
|
|
}
|
|
len++;
|
|
}
|
|
buf[max-1] = 0;
|
|
log_err("control line too long (%d): %s", (int)max, buf);
|
|
return 0;
|
|
}
|
|
|
|
/** skip whitespace, return new pointer into string */
|
|
static char*
|
|
skipwhite(char* str)
|
|
{
|
|
/* EOS \0 is not a space */
|
|
while( isspace((unsigned char)*str) )
|
|
str++;
|
|
return str;
|
|
}
|
|
|
|
/** send the OK to the control client */
|
|
static void send_ok(SSL* ssl)
|
|
{
|
|
(void)ssl_printf(ssl, "ok\n");
|
|
}
|
|
|
|
/** do the stop command */
|
|
static void
|
|
do_stop(SSL* ssl, struct daemon_remote* rc)
|
|
{
|
|
rc->worker->need_to_exit = 1;
|
|
comm_base_exit(rc->worker->base);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** do the reload command */
|
|
static void
|
|
do_reload(SSL* ssl, struct daemon_remote* rc)
|
|
{
|
|
rc->worker->need_to_exit = 0;
|
|
comm_base_exit(rc->worker->base);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** do the verbosity command */
|
|
static void
|
|
do_verbosity(SSL* ssl, char* str)
|
|
{
|
|
int val = atoi(str);
|
|
if(val == 0 && strcmp(str, "0") != 0) {
|
|
ssl_printf(ssl, "error in verbosity number syntax: %s\n", str);
|
|
return;
|
|
}
|
|
verbosity = val;
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** print stats from statinfo */
|
|
static int
|
|
print_stats(SSL* ssl, const char* nm, struct stats_info* s)
|
|
{
|
|
struct timeval avg;
|
|
if(!ssl_printf(ssl, "%s.num.queries"SQ"%lu\n", nm,
|
|
(unsigned long)s->svr.num_queries)) return 0;
|
|
if(!ssl_printf(ssl, "%s.num.queries_ip_ratelimited"SQ"%lu\n", nm,
|
|
(unsigned long)s->svr.num_queries_ip_ratelimited)) return 0;
|
|
if(!ssl_printf(ssl, "%s.num.cachehits"SQ"%lu\n", nm,
|
|
(unsigned long)(s->svr.num_queries
|
|
- s->svr.num_queries_missed_cache))) return 0;
|
|
if(!ssl_printf(ssl, "%s.num.cachemiss"SQ"%lu\n", nm,
|
|
(unsigned long)s->svr.num_queries_missed_cache)) return 0;
|
|
if(!ssl_printf(ssl, "%s.num.prefetch"SQ"%lu\n", nm,
|
|
(unsigned long)s->svr.num_queries_prefetch)) return 0;
|
|
if(!ssl_printf(ssl, "%s.num.zero_ttl"SQ"%lu\n", nm,
|
|
(unsigned long)s->svr.zero_ttl_responses)) return 0;
|
|
if(!ssl_printf(ssl, "%s.num.recursivereplies"SQ"%lu\n", nm,
|
|
(unsigned long)s->mesh_replies_sent)) return 0;
|
|
#ifdef USE_DNSCRYPT
|
|
if(!ssl_printf(ssl, "%s.num.dnscrypt.crypted"SQ"%lu\n", nm,
|
|
(unsigned long)s->svr.num_query_dnscrypt_crypted)) return 0;
|
|
if(!ssl_printf(ssl, "%s.num.dnscrypt.cert"SQ"%lu\n", nm,
|
|
(unsigned long)s->svr.num_query_dnscrypt_cert)) return 0;
|
|
if(!ssl_printf(ssl, "%s.num.dnscrypt.cleartext"SQ"%lu\n", nm,
|
|
(unsigned long)s->svr.num_query_dnscrypt_cleartext)) return 0;
|
|
if(!ssl_printf(ssl, "%s.num.dnscrypt.malformed"SQ"%lu\n", nm,
|
|
(unsigned long)s->svr.num_query_dnscrypt_crypted_malformed)) return 0;
|
|
#endif
|
|
if(!ssl_printf(ssl, "%s.requestlist.avg"SQ"%g\n", nm,
|
|
(s->svr.num_queries_missed_cache+s->svr.num_queries_prefetch)?
|
|
(double)s->svr.sum_query_list_size/
|
|
(s->svr.num_queries_missed_cache+
|
|
s->svr.num_queries_prefetch) : 0.0)) return 0;
|
|
if(!ssl_printf(ssl, "%s.requestlist.max"SQ"%lu\n", nm,
|
|
(unsigned long)s->svr.max_query_list_size)) return 0;
|
|
if(!ssl_printf(ssl, "%s.requestlist.overwritten"SQ"%lu\n", nm,
|
|
(unsigned long)s->mesh_jostled)) return 0;
|
|
if(!ssl_printf(ssl, "%s.requestlist.exceeded"SQ"%lu\n", nm,
|
|
(unsigned long)s->mesh_dropped)) return 0;
|
|
if(!ssl_printf(ssl, "%s.requestlist.current.all"SQ"%lu\n", nm,
|
|
(unsigned long)s->mesh_num_states)) return 0;
|
|
if(!ssl_printf(ssl, "%s.requestlist.current.user"SQ"%lu\n", nm,
|
|
(unsigned long)s->mesh_num_reply_states)) return 0;
|
|
timeval_divide(&avg, &s->mesh_replies_sum_wait, s->mesh_replies_sent);
|
|
if(!ssl_printf(ssl, "%s.recursion.time.avg"SQ ARG_LL "d.%6.6d\n", nm,
|
|
(long long)avg.tv_sec, (int)avg.tv_usec)) return 0;
|
|
if(!ssl_printf(ssl, "%s.recursion.time.median"SQ"%g\n", nm,
|
|
s->mesh_time_median)) return 0;
|
|
if(!ssl_printf(ssl, "%s.tcpusage"SQ"%lu\n", nm,
|
|
(unsigned long)s->svr.tcp_accept_usage)) return 0;
|
|
return 1;
|
|
}
|
|
|
|
/** print stats for one thread */
|
|
static int
|
|
print_thread_stats(SSL* ssl, int i, struct stats_info* s)
|
|
{
|
|
char nm[16];
|
|
snprintf(nm, sizeof(nm), "thread%d", i);
|
|
nm[sizeof(nm)-1]=0;
|
|
return print_stats(ssl, nm, s);
|
|
}
|
|
|
|
/** print long number */
|
|
static int
|
|
print_longnum(SSL* ssl, const char* desc, size_t x)
|
|
{
|
|
if(x > 1024*1024*1024) {
|
|
/* more than a Gb */
|
|
size_t front = x / (size_t)1000000;
|
|
size_t back = x % (size_t)1000000;
|
|
return ssl_printf(ssl, "%s%u%6.6u\n", desc,
|
|
(unsigned)front, (unsigned)back);
|
|
} else {
|
|
return ssl_printf(ssl, "%s%lu\n", desc, (unsigned long)x);
|
|
}
|
|
}
|
|
|
|
/** print mem stats */
|
|
static int
|
|
print_mem(SSL* ssl, struct worker* worker, struct daemon* daemon)
|
|
{
|
|
int m;
|
|
size_t msg, rrset, val, iter, respip;
|
|
#ifdef CLIENT_SUBNET
|
|
size_t subnet = 0;
|
|
#endif /* CLIENT_SUBNET */
|
|
msg = slabhash_get_mem(daemon->env->msg_cache);
|
|
rrset = slabhash_get_mem(&daemon->env->rrset_cache->table);
|
|
val=0;
|
|
iter=0;
|
|
respip=0;
|
|
m = modstack_find(&worker->env.mesh->mods, "validator");
|
|
if(m != -1) {
|
|
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
|
|
mods.mod[m]->get_mem));
|
|
val = (*worker->env.mesh->mods.mod[m]->get_mem)
|
|
(&worker->env, m);
|
|
}
|
|
m = modstack_find(&worker->env.mesh->mods, "iterator");
|
|
if(m != -1) {
|
|
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
|
|
mods.mod[m]->get_mem));
|
|
iter = (*worker->env.mesh->mods.mod[m]->get_mem)
|
|
(&worker->env, m);
|
|
}
|
|
m = modstack_find(&worker->env.mesh->mods, "respip");
|
|
if(m != -1) {
|
|
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
|
|
mods.mod[m]->get_mem));
|
|
respip = (*worker->env.mesh->mods.mod[m]->get_mem)
|
|
(&worker->env, m);
|
|
}
|
|
#ifdef CLIENT_SUBNET
|
|
m = modstack_find(&worker->env.mesh->mods, "subnet");
|
|
if(m != -1) {
|
|
fptr_ok(fptr_whitelist_mod_get_mem(worker->env.mesh->
|
|
mods.mod[m]->get_mem));
|
|
subnet = (*worker->env.mesh->mods.mod[m]->get_mem)
|
|
(&worker->env, m);
|
|
}
|
|
#endif /* CLIENT_SUBNET */
|
|
|
|
if(!print_longnum(ssl, "mem.cache.rrset"SQ, rrset))
|
|
return 0;
|
|
if(!print_longnum(ssl, "mem.cache.message"SQ, msg))
|
|
return 0;
|
|
if(!print_longnum(ssl, "mem.mod.iterator"SQ, iter))
|
|
return 0;
|
|
if(!print_longnum(ssl, "mem.mod.validator"SQ, val))
|
|
return 0;
|
|
if(!print_longnum(ssl, "mem.mod.respip"SQ, respip))
|
|
return 0;
|
|
#ifdef CLIENT_SUBNET
|
|
if(!print_longnum(ssl, "mem.mod.subnet"SQ, subnet))
|
|
return 0;
|
|
#endif /* CLIENT_SUBNET */
|
|
return 1;
|
|
}
|
|
|
|
/** print uptime stats */
|
|
static int
|
|
print_uptime(SSL* ssl, struct worker* worker, int reset)
|
|
{
|
|
struct timeval now = *worker->env.now_tv;
|
|
struct timeval up, dt;
|
|
timeval_subtract(&up, &now, &worker->daemon->time_boot);
|
|
timeval_subtract(&dt, &now, &worker->daemon->time_last_stat);
|
|
if(reset)
|
|
worker->daemon->time_last_stat = now;
|
|
if(!ssl_printf(ssl, "time.now"SQ ARG_LL "d.%6.6d\n",
|
|
(long long)now.tv_sec, (unsigned)now.tv_usec)) return 0;
|
|
if(!ssl_printf(ssl, "time.up"SQ ARG_LL "d.%6.6d\n",
|
|
(long long)up.tv_sec, (unsigned)up.tv_usec)) return 0;
|
|
if(!ssl_printf(ssl, "time.elapsed"SQ ARG_LL "d.%6.6d\n",
|
|
(long long)dt.tv_sec, (unsigned)dt.tv_usec)) return 0;
|
|
return 1;
|
|
}
|
|
|
|
/** print extended histogram */
|
|
static int
|
|
print_hist(SSL* ssl, struct stats_info* s)
|
|
{
|
|
struct timehist* hist;
|
|
size_t i;
|
|
hist = timehist_setup();
|
|
if(!hist) {
|
|
log_err("out of memory");
|
|
return 0;
|
|
}
|
|
timehist_import(hist, s->svr.hist, NUM_BUCKETS_HIST);
|
|
for(i=0; i<hist->num; i++) {
|
|
if(!ssl_printf(ssl,
|
|
"histogram.%6.6d.%6.6d.to.%6.6d.%6.6d=%lu\n",
|
|
(int)hist->buckets[i].lower.tv_sec,
|
|
(int)hist->buckets[i].lower.tv_usec,
|
|
(int)hist->buckets[i].upper.tv_sec,
|
|
(int)hist->buckets[i].upper.tv_usec,
|
|
(unsigned long)hist->buckets[i].count)) {
|
|
timehist_delete(hist);
|
|
return 0;
|
|
}
|
|
}
|
|
timehist_delete(hist);
|
|
return 1;
|
|
}
|
|
|
|
/** print extended stats */
|
|
static int
|
|
print_ext(SSL* ssl, struct stats_info* s)
|
|
{
|
|
int i;
|
|
char nm[16];
|
|
const sldns_rr_descriptor* desc;
|
|
const sldns_lookup_table* lt;
|
|
/* TYPE */
|
|
for(i=0; i<STATS_QTYPE_NUM; i++) {
|
|
if(inhibit_zero && s->svr.qtype[i] == 0)
|
|
continue;
|
|
desc = sldns_rr_descript((uint16_t)i);
|
|
if(desc && desc->_name) {
|
|
snprintf(nm, sizeof(nm), "%s", desc->_name);
|
|
} else if (i == LDNS_RR_TYPE_IXFR) {
|
|
snprintf(nm, sizeof(nm), "IXFR");
|
|
} else if (i == LDNS_RR_TYPE_AXFR) {
|
|
snprintf(nm, sizeof(nm), "AXFR");
|
|
} else if (i == LDNS_RR_TYPE_MAILA) {
|
|
snprintf(nm, sizeof(nm), "MAILA");
|
|
} else if (i == LDNS_RR_TYPE_MAILB) {
|
|
snprintf(nm, sizeof(nm), "MAILB");
|
|
} else if (i == LDNS_RR_TYPE_ANY) {
|
|
snprintf(nm, sizeof(nm), "ANY");
|
|
} else {
|
|
snprintf(nm, sizeof(nm), "TYPE%d", i);
|
|
}
|
|
if(!ssl_printf(ssl, "num.query.type.%s"SQ"%lu\n",
|
|
nm, (unsigned long)s->svr.qtype[i])) return 0;
|
|
}
|
|
if(!inhibit_zero || s->svr.qtype_big) {
|
|
if(!ssl_printf(ssl, "num.query.type.other"SQ"%lu\n",
|
|
(unsigned long)s->svr.qtype_big)) return 0;
|
|
}
|
|
/* CLASS */
|
|
for(i=0; i<STATS_QCLASS_NUM; i++) {
|
|
if(inhibit_zero && s->svr.qclass[i] == 0)
|
|
continue;
|
|
lt = sldns_lookup_by_id(sldns_rr_classes, i);
|
|
if(lt && lt->name) {
|
|
snprintf(nm, sizeof(nm), "%s", lt->name);
|
|
} else {
|
|
snprintf(nm, sizeof(nm), "CLASS%d", i);
|
|
}
|
|
if(!ssl_printf(ssl, "num.query.class.%s"SQ"%lu\n",
|
|
nm, (unsigned long)s->svr.qclass[i])) return 0;
|
|
}
|
|
if(!inhibit_zero || s->svr.qclass_big) {
|
|
if(!ssl_printf(ssl, "num.query.class.other"SQ"%lu\n",
|
|
(unsigned long)s->svr.qclass_big)) return 0;
|
|
}
|
|
/* OPCODE */
|
|
for(i=0; i<STATS_OPCODE_NUM; i++) {
|
|
if(inhibit_zero && s->svr.qopcode[i] == 0)
|
|
continue;
|
|
lt = sldns_lookup_by_id(sldns_opcodes, i);
|
|
if(lt && lt->name) {
|
|
snprintf(nm, sizeof(nm), "%s", lt->name);
|
|
} else {
|
|
snprintf(nm, sizeof(nm), "OPCODE%d", i);
|
|
}
|
|
if(!ssl_printf(ssl, "num.query.opcode.%s"SQ"%lu\n",
|
|
nm, (unsigned long)s->svr.qopcode[i])) return 0;
|
|
}
|
|
/* transport */
|
|
if(!ssl_printf(ssl, "num.query.tcp"SQ"%lu\n",
|
|
(unsigned long)s->svr.qtcp)) return 0;
|
|
if(!ssl_printf(ssl, "num.query.tcpout"SQ"%lu\n",
|
|
(unsigned long)s->svr.qtcp_outgoing)) return 0;
|
|
if(!ssl_printf(ssl, "num.query.ipv6"SQ"%lu\n",
|
|
(unsigned long)s->svr.qipv6)) return 0;
|
|
/* flags */
|
|
if(!ssl_printf(ssl, "num.query.flags.QR"SQ"%lu\n",
|
|
(unsigned long)s->svr.qbit_QR)) return 0;
|
|
if(!ssl_printf(ssl, "num.query.flags.AA"SQ"%lu\n",
|
|
(unsigned long)s->svr.qbit_AA)) return 0;
|
|
if(!ssl_printf(ssl, "num.query.flags.TC"SQ"%lu\n",
|
|
(unsigned long)s->svr.qbit_TC)) return 0;
|
|
if(!ssl_printf(ssl, "num.query.flags.RD"SQ"%lu\n",
|
|
(unsigned long)s->svr.qbit_RD)) return 0;
|
|
if(!ssl_printf(ssl, "num.query.flags.RA"SQ"%lu\n",
|
|
(unsigned long)s->svr.qbit_RA)) return 0;
|
|
if(!ssl_printf(ssl, "num.query.flags.Z"SQ"%lu\n",
|
|
(unsigned long)s->svr.qbit_Z)) return 0;
|
|
if(!ssl_printf(ssl, "num.query.flags.AD"SQ"%lu\n",
|
|
(unsigned long)s->svr.qbit_AD)) return 0;
|
|
if(!ssl_printf(ssl, "num.query.flags.CD"SQ"%lu\n",
|
|
(unsigned long)s->svr.qbit_CD)) return 0;
|
|
if(!ssl_printf(ssl, "num.query.edns.present"SQ"%lu\n",
|
|
(unsigned long)s->svr.qEDNS)) return 0;
|
|
if(!ssl_printf(ssl, "num.query.edns.DO"SQ"%lu\n",
|
|
(unsigned long)s->svr.qEDNS_DO)) return 0;
|
|
|
|
/* RCODE */
|
|
for(i=0; i<STATS_RCODE_NUM; i++) {
|
|
/* Always include RCODEs 0-5 */
|
|
if(inhibit_zero && i > LDNS_RCODE_REFUSED && s->svr.ans_rcode[i] == 0)
|
|
continue;
|
|
lt = sldns_lookup_by_id(sldns_rcodes, i);
|
|
if(lt && lt->name) {
|
|
snprintf(nm, sizeof(nm), "%s", lt->name);
|
|
} else {
|
|
snprintf(nm, sizeof(nm), "RCODE%d", i);
|
|
}
|
|
if(!ssl_printf(ssl, "num.answer.rcode.%s"SQ"%lu\n",
|
|
nm, (unsigned long)s->svr.ans_rcode[i])) return 0;
|
|
}
|
|
if(!inhibit_zero || s->svr.ans_rcode_nodata) {
|
|
if(!ssl_printf(ssl, "num.answer.rcode.nodata"SQ"%lu\n",
|
|
(unsigned long)s->svr.ans_rcode_nodata)) return 0;
|
|
}
|
|
/* validation */
|
|
if(!ssl_printf(ssl, "num.answer.secure"SQ"%lu\n",
|
|
(unsigned long)s->svr.ans_secure)) return 0;
|
|
if(!ssl_printf(ssl, "num.answer.bogus"SQ"%lu\n",
|
|
(unsigned long)s->svr.ans_bogus)) return 0;
|
|
if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n",
|
|
(unsigned long)s->svr.rrset_bogus)) return 0;
|
|
/* threat detection */
|
|
if(!ssl_printf(ssl, "unwanted.queries"SQ"%lu\n",
|
|
(unsigned long)s->svr.unwanted_queries)) return 0;
|
|
if(!ssl_printf(ssl, "unwanted.replies"SQ"%lu\n",
|
|
(unsigned long)s->svr.unwanted_replies)) return 0;
|
|
/* cache counts */
|
|
if(!ssl_printf(ssl, "msg.cache.count"SQ"%u\n",
|
|
(unsigned)s->svr.msg_cache_count)) return 0;
|
|
if(!ssl_printf(ssl, "rrset.cache.count"SQ"%u\n",
|
|
(unsigned)s->svr.rrset_cache_count)) return 0;
|
|
if(!ssl_printf(ssl, "infra.cache.count"SQ"%u\n",
|
|
(unsigned)s->svr.infra_cache_count)) return 0;
|
|
if(!ssl_printf(ssl, "key.cache.count"SQ"%u\n",
|
|
(unsigned)s->svr.key_cache_count)) return 0;
|
|
return 1;
|
|
}
|
|
|
|
/** do the stats command */
|
|
static void
|
|
do_stats(SSL* ssl, struct daemon_remote* rc, int reset)
|
|
{
|
|
struct daemon* daemon = rc->worker->daemon;
|
|
struct stats_info total;
|
|
struct stats_info s;
|
|
int i;
|
|
log_assert(daemon->num > 0);
|
|
/* gather all thread statistics in one place */
|
|
for(i=0; i<daemon->num; i++) {
|
|
server_stats_obtain(rc->worker, daemon->workers[i], &s, reset);
|
|
if(!print_thread_stats(ssl, i, &s))
|
|
return;
|
|
if(i == 0)
|
|
total = s;
|
|
else server_stats_add(&total, &s);
|
|
}
|
|
/* print the thread statistics */
|
|
total.mesh_time_median /= (double)daemon->num;
|
|
if(!print_stats(ssl, "total", &total))
|
|
return;
|
|
if(!print_uptime(ssl, rc->worker, reset))
|
|
return;
|
|
if(daemon->cfg->stat_extended) {
|
|
if(!print_mem(ssl, rc->worker, daemon))
|
|
return;
|
|
if(!print_hist(ssl, &total))
|
|
return;
|
|
if(!print_ext(ssl, &total))
|
|
return;
|
|
}
|
|
}
|
|
|
|
/** parse commandline argument domain name */
|
|
static int
|
|
parse_arg_name(SSL* ssl, char* str, uint8_t** res, size_t* len, int* labs)
|
|
{
|
|
uint8_t nm[LDNS_MAX_DOMAINLEN+1];
|
|
size_t nmlen = sizeof(nm);
|
|
int status;
|
|
*res = NULL;
|
|
*len = 0;
|
|
*labs = 0;
|
|
status = sldns_str2wire_dname_buf(str, nm, &nmlen);
|
|
if(status != 0) {
|
|
ssl_printf(ssl, "error cannot parse name %s at %d: %s\n", str,
|
|
LDNS_WIREPARSE_OFFSET(status),
|
|
sldns_get_errorstr_parse(status));
|
|
return 0;
|
|
}
|
|
*res = memdup(nm, nmlen);
|
|
if(!*res) {
|
|
ssl_printf(ssl, "error out of memory\n");
|
|
return 0;
|
|
}
|
|
*labs = dname_count_size_labels(*res, len);
|
|
return 1;
|
|
}
|
|
|
|
/** find second argument, modifies string */
|
|
static int
|
|
find_arg2(SSL* ssl, char* arg, char** arg2)
|
|
{
|
|
char* as = strchr(arg, ' ');
|
|
char* at = strchr(arg, '\t');
|
|
if(as && at) {
|
|
if(at < as)
|
|
as = at;
|
|
as[0]=0;
|
|
*arg2 = skipwhite(as+1);
|
|
} else if(as) {
|
|
as[0]=0;
|
|
*arg2 = skipwhite(as+1);
|
|
} else if(at) {
|
|
at[0]=0;
|
|
*arg2 = skipwhite(at+1);
|
|
} else {
|
|
ssl_printf(ssl, "error could not find next argument "
|
|
"after %s\n", arg);
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** Add a new zone */
|
|
static int
|
|
perform_zone_add(SSL* ssl, struct local_zones* zones, char* arg)
|
|
{
|
|
uint8_t* nm;
|
|
int nmlabs;
|
|
size_t nmlen;
|
|
char* arg2;
|
|
enum localzone_type t;
|
|
struct local_zone* z;
|
|
if(!find_arg2(ssl, arg, &arg2))
|
|
return 0;
|
|
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
|
|
return 0;
|
|
if(!local_zone_str2type(arg2, &t)) {
|
|
ssl_printf(ssl, "error not a zone type. %s\n", arg2);
|
|
free(nm);
|
|
return 0;
|
|
}
|
|
lock_rw_wrlock(&zones->lock);
|
|
if((z=local_zones_find(zones, nm, nmlen,
|
|
nmlabs, LDNS_RR_CLASS_IN))) {
|
|
/* already present in tree */
|
|
lock_rw_wrlock(&z->lock);
|
|
z->type = t; /* update type anyway */
|
|
lock_rw_unlock(&z->lock);
|
|
free(nm);
|
|
lock_rw_unlock(&zones->lock);
|
|
return 1;
|
|
}
|
|
if(!local_zones_add_zone(zones, nm, nmlen,
|
|
nmlabs, LDNS_RR_CLASS_IN, t)) {
|
|
lock_rw_unlock(&zones->lock);
|
|
ssl_printf(ssl, "error out of memory\n");
|
|
return 0;
|
|
}
|
|
lock_rw_unlock(&zones->lock);
|
|
return 1;
|
|
}
|
|
|
|
/** Do the local_zone command */
|
|
static void
|
|
do_zone_add(SSL* ssl, struct local_zones* zones, char* arg)
|
|
{
|
|
if(!perform_zone_add(ssl, zones, arg))
|
|
return;
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** Do the local_zones command */
|
|
static void
|
|
do_zones_add(SSL* ssl, struct local_zones* zones)
|
|
{
|
|
char buf[2048];
|
|
int num = 0;
|
|
while(ssl_read_line(ssl, buf, sizeof(buf))) {
|
|
if(buf[0] == 0x04 && buf[1] == 0)
|
|
break; /* end of transmission */
|
|
if(!perform_zone_add(ssl, zones, buf)) {
|
|
if(!ssl_printf(ssl, "error for input line: %s\n", buf))
|
|
return;
|
|
}
|
|
else
|
|
num++;
|
|
}
|
|
(void)ssl_printf(ssl, "added %d zones\n", num);
|
|
}
|
|
|
|
/** Remove a zone */
|
|
static int
|
|
perform_zone_remove(SSL* ssl, struct local_zones* zones, char* arg)
|
|
{
|
|
uint8_t* nm;
|
|
int nmlabs;
|
|
size_t nmlen;
|
|
struct local_zone* z;
|
|
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
|
|
return 0;
|
|
lock_rw_wrlock(&zones->lock);
|
|
if((z=local_zones_find(zones, nm, nmlen,
|
|
nmlabs, LDNS_RR_CLASS_IN))) {
|
|
/* present in tree */
|
|
local_zones_del_zone(zones, z);
|
|
}
|
|
lock_rw_unlock(&zones->lock);
|
|
free(nm);
|
|
return 1;
|
|
}
|
|
|
|
/** Do the local_zone_remove command */
|
|
static void
|
|
do_zone_remove(SSL* ssl, struct local_zones* zones, char* arg)
|
|
{
|
|
if(!perform_zone_remove(ssl, zones, arg))
|
|
return;
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** Do the local_zones_remove command */
|
|
static void
|
|
do_zones_remove(SSL* ssl, struct local_zones* zones)
|
|
{
|
|
char buf[2048];
|
|
int num = 0;
|
|
while(ssl_read_line(ssl, buf, sizeof(buf))) {
|
|
if(buf[0] == 0x04 && buf[1] == 0)
|
|
break; /* end of transmission */
|
|
if(!perform_zone_remove(ssl, zones, buf)) {
|
|
if(!ssl_printf(ssl, "error for input line: %s\n", buf))
|
|
return;
|
|
}
|
|
else
|
|
num++;
|
|
}
|
|
(void)ssl_printf(ssl, "removed %d zones\n", num);
|
|
}
|
|
|
|
/** Add new RR data */
|
|
static int
|
|
perform_data_add(SSL* ssl, struct local_zones* zones, char* arg)
|
|
{
|
|
if(!local_zones_add_RR(zones, arg)) {
|
|
ssl_printf(ssl,"error in syntax or out of memory, %s\n", arg);
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** Do the local_data command */
|
|
static void
|
|
do_data_add(SSL* ssl, struct local_zones* zones, char* arg)
|
|
{
|
|
if(!perform_data_add(ssl, zones, arg))
|
|
return;
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** Do the local_datas command */
|
|
static void
|
|
do_datas_add(SSL* ssl, struct local_zones* zones)
|
|
{
|
|
char buf[2048];
|
|
int num = 0;
|
|
while(ssl_read_line(ssl, buf, sizeof(buf))) {
|
|
if(buf[0] == 0x04 && buf[1] == 0)
|
|
break; /* end of transmission */
|
|
if(!perform_data_add(ssl, zones, buf)) {
|
|
if(!ssl_printf(ssl, "error for input line: %s\n", buf))
|
|
return;
|
|
}
|
|
else
|
|
num++;
|
|
}
|
|
(void)ssl_printf(ssl, "added %d datas\n", num);
|
|
}
|
|
|
|
/** Remove RR data */
|
|
static int
|
|
perform_data_remove(SSL* ssl, struct local_zones* zones, char* arg)
|
|
{
|
|
uint8_t* nm;
|
|
int nmlabs;
|
|
size_t nmlen;
|
|
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
|
|
return 0;
|
|
local_zones_del_data(zones, nm,
|
|
nmlen, nmlabs, LDNS_RR_CLASS_IN);
|
|
free(nm);
|
|
return 1;
|
|
}
|
|
|
|
/** Do the local_data_remove command */
|
|
static void
|
|
do_data_remove(SSL* ssl, struct local_zones* zones, char* arg)
|
|
{
|
|
if(!perform_data_remove(ssl, zones, arg))
|
|
return;
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** Do the local_datas_remove command */
|
|
static void
|
|
do_datas_remove(SSL* ssl, struct local_zones* zones)
|
|
{
|
|
char buf[2048];
|
|
int num = 0;
|
|
while(ssl_read_line(ssl, buf, sizeof(buf))) {
|
|
if(buf[0] == 0x04 && buf[1] == 0)
|
|
break; /* end of transmission */
|
|
if(!perform_data_remove(ssl, zones, buf)) {
|
|
if(!ssl_printf(ssl, "error for input line: %s\n", buf))
|
|
return;
|
|
}
|
|
else
|
|
num++;
|
|
}
|
|
(void)ssl_printf(ssl, "removed %d datas\n", num);
|
|
}
|
|
|
|
/** Add a new zone to view */
|
|
static void
|
|
do_view_zone_add(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
char* arg2;
|
|
struct view* v;
|
|
if(!find_arg2(ssl, arg, &arg2))
|
|
return;
|
|
v = views_find_view(worker->daemon->views,
|
|
arg, 1 /* get write lock*/);
|
|
if(!v) {
|
|
ssl_printf(ssl,"no view with name: %s\n", arg);
|
|
return;
|
|
}
|
|
if(!v->local_zones) {
|
|
if(!(v->local_zones = local_zones_create())){
|
|
lock_rw_unlock(&v->lock);
|
|
ssl_printf(ssl,"error out of memory\n");
|
|
return;
|
|
}
|
|
}
|
|
do_zone_add(ssl, v->local_zones, arg2);
|
|
lock_rw_unlock(&v->lock);
|
|
}
|
|
|
|
/** Remove a zone from view */
|
|
static void
|
|
do_view_zone_remove(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
char* arg2;
|
|
struct view* v;
|
|
if(!find_arg2(ssl, arg, &arg2))
|
|
return;
|
|
v = views_find_view(worker->daemon->views,
|
|
arg, 1 /* get write lock*/);
|
|
if(!v) {
|
|
ssl_printf(ssl,"no view with name: %s\n", arg);
|
|
return;
|
|
}
|
|
if(!v->local_zones) {
|
|
lock_rw_unlock(&v->lock);
|
|
send_ok(ssl);
|
|
return;
|
|
}
|
|
do_zone_remove(ssl, v->local_zones, arg2);
|
|
lock_rw_unlock(&v->lock);
|
|
}
|
|
|
|
/** Add new RR data to view */
|
|
static void
|
|
do_view_data_add(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
char* arg2;
|
|
struct view* v;
|
|
if(!find_arg2(ssl, arg, &arg2))
|
|
return;
|
|
v = views_find_view(worker->daemon->views,
|
|
arg, 1 /* get write lock*/);
|
|
if(!v) {
|
|
ssl_printf(ssl,"no view with name: %s\n", arg);
|
|
return;
|
|
}
|
|
if(!v->local_zones) {
|
|
if(!(v->local_zones = local_zones_create())){
|
|
lock_rw_unlock(&v->lock);
|
|
ssl_printf(ssl,"error out of memory\n");
|
|
return;
|
|
}
|
|
}
|
|
do_data_add(ssl, v->local_zones, arg2);
|
|
lock_rw_unlock(&v->lock);
|
|
}
|
|
|
|
/** Remove RR data from view */
|
|
static void
|
|
do_view_data_remove(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
char* arg2;
|
|
struct view* v;
|
|
if(!find_arg2(ssl, arg, &arg2))
|
|
return;
|
|
v = views_find_view(worker->daemon->views,
|
|
arg, 1 /* get write lock*/);
|
|
if(!v) {
|
|
ssl_printf(ssl,"no view with name: %s\n", arg);
|
|
return;
|
|
}
|
|
if(!v->local_zones) {
|
|
lock_rw_unlock(&v->lock);
|
|
send_ok(ssl);
|
|
return;
|
|
}
|
|
do_data_remove(ssl, v->local_zones, arg2);
|
|
lock_rw_unlock(&v->lock);
|
|
}
|
|
|
|
/** cache lookup of nameservers */
|
|
static void
|
|
do_lookup(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
uint8_t* nm;
|
|
int nmlabs;
|
|
size_t nmlen;
|
|
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
|
|
return;
|
|
(void)print_deleg_lookup(ssl, worker, nm, nmlen, nmlabs);
|
|
free(nm);
|
|
}
|
|
|
|
/** flush something from rrset and msg caches */
|
|
static void
|
|
do_cache_remove(struct worker* worker, uint8_t* nm, size_t nmlen,
|
|
uint16_t t, uint16_t c)
|
|
{
|
|
hashvalue_type h;
|
|
struct query_info k;
|
|
rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c, 0);
|
|
if(t == LDNS_RR_TYPE_SOA)
|
|
rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c,
|
|
PACKED_RRSET_SOA_NEG);
|
|
k.qname = nm;
|
|
k.qname_len = nmlen;
|
|
k.qtype = t;
|
|
k.qclass = c;
|
|
k.local_alias = NULL;
|
|
h = query_info_hash(&k, 0);
|
|
slabhash_remove(worker->env.msg_cache, h, &k);
|
|
if(t == LDNS_RR_TYPE_AAAA) {
|
|
/* for AAAA also flush dns64 bit_cd packet */
|
|
h = query_info_hash(&k, BIT_CD);
|
|
slabhash_remove(worker->env.msg_cache, h, &k);
|
|
}
|
|
}
|
|
|
|
/** flush a type */
|
|
static void
|
|
do_flush_type(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
uint8_t* nm;
|
|
int nmlabs;
|
|
size_t nmlen;
|
|
char* arg2;
|
|
uint16_t t;
|
|
if(!find_arg2(ssl, arg, &arg2))
|
|
return;
|
|
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
|
|
return;
|
|
t = sldns_get_rr_type_by_name(arg2);
|
|
do_cache_remove(worker, nm, nmlen, t, LDNS_RR_CLASS_IN);
|
|
|
|
free(nm);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** flush statistics */
|
|
static void
|
|
do_flush_stats(SSL* ssl, struct worker* worker)
|
|
{
|
|
worker_stats_clear(worker);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/**
|
|
* Local info for deletion functions
|
|
*/
|
|
struct del_info {
|
|
/** worker */
|
|
struct worker* worker;
|
|
/** name to delete */
|
|
uint8_t* name;
|
|
/** length */
|
|
size_t len;
|
|
/** labels */
|
|
int labs;
|
|
/** time to invalidate to */
|
|
time_t expired;
|
|
/** number of rrsets removed */
|
|
size_t num_rrsets;
|
|
/** number of msgs removed */
|
|
size_t num_msgs;
|
|
/** number of key entries removed */
|
|
size_t num_keys;
|
|
/** length of addr */
|
|
socklen_t addrlen;
|
|
/** socket address for host deletion */
|
|
struct sockaddr_storage addr;
|
|
};
|
|
|
|
/** callback to delete hosts in infra cache */
|
|
static void
|
|
infra_del_host(struct lruhash_entry* e, void* arg)
|
|
{
|
|
/* entry is locked */
|
|
struct del_info* inf = (struct del_info*)arg;
|
|
struct infra_key* k = (struct infra_key*)e->key;
|
|
if(sockaddr_cmp(&inf->addr, inf->addrlen, &k->addr, k->addrlen) == 0) {
|
|
struct infra_data* d = (struct infra_data*)e->data;
|
|
d->probedelay = 0;
|
|
d->timeout_A = 0;
|
|
d->timeout_AAAA = 0;
|
|
d->timeout_other = 0;
|
|
rtt_init(&d->rtt);
|
|
if(d->ttl > inf->expired) {
|
|
d->ttl = inf->expired;
|
|
inf->num_keys++;
|
|
}
|
|
}
|
|
}
|
|
|
|
/** flush infra cache */
|
|
static void
|
|
do_flush_infra(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
struct sockaddr_storage addr;
|
|
socklen_t len;
|
|
struct del_info inf;
|
|
if(strcmp(arg, "all") == 0) {
|
|
slabhash_clear(worker->env.infra_cache->hosts);
|
|
send_ok(ssl);
|
|
return;
|
|
}
|
|
if(!ipstrtoaddr(arg, UNBOUND_DNS_PORT, &addr, &len)) {
|
|
(void)ssl_printf(ssl, "error parsing ip addr: '%s'\n", arg);
|
|
return;
|
|
}
|
|
/* delete all entries from cache */
|
|
/* what we do is to set them all expired */
|
|
inf.worker = worker;
|
|
inf.name = 0;
|
|
inf.len = 0;
|
|
inf.labs = 0;
|
|
inf.expired = *worker->env.now;
|
|
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
|
inf.num_rrsets = 0;
|
|
inf.num_msgs = 0;
|
|
inf.num_keys = 0;
|
|
inf.addrlen = len;
|
|
memmove(&inf.addr, &addr, len);
|
|
slabhash_traverse(worker->env.infra_cache->hosts, 1, &infra_del_host,
|
|
&inf);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** flush requestlist */
|
|
static void
|
|
do_flush_requestlist(SSL* ssl, struct worker* worker)
|
|
{
|
|
mesh_delete_all(worker->env.mesh);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** callback to delete rrsets in a zone */
|
|
static void
|
|
zone_del_rrset(struct lruhash_entry* e, void* arg)
|
|
{
|
|
/* entry is locked */
|
|
struct del_info* inf = (struct del_info*)arg;
|
|
struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key;
|
|
if(dname_subdomain_c(k->rk.dname, inf->name)) {
|
|
struct packed_rrset_data* d =
|
|
(struct packed_rrset_data*)e->data;
|
|
if(d->ttl > inf->expired) {
|
|
d->ttl = inf->expired;
|
|
inf->num_rrsets++;
|
|
}
|
|
}
|
|
}
|
|
|
|
/** callback to delete messages in a zone */
|
|
static void
|
|
zone_del_msg(struct lruhash_entry* e, void* arg)
|
|
{
|
|
/* entry is locked */
|
|
struct del_info* inf = (struct del_info*)arg;
|
|
struct msgreply_entry* k = (struct msgreply_entry*)e->key;
|
|
if(dname_subdomain_c(k->key.qname, inf->name)) {
|
|
struct reply_info* d = (struct reply_info*)e->data;
|
|
if(d->ttl > inf->expired) {
|
|
d->ttl = inf->expired;
|
|
inf->num_msgs++;
|
|
}
|
|
}
|
|
}
|
|
|
|
/** callback to delete keys in zone */
|
|
static void
|
|
zone_del_kcache(struct lruhash_entry* e, void* arg)
|
|
{
|
|
/* entry is locked */
|
|
struct del_info* inf = (struct del_info*)arg;
|
|
struct key_entry_key* k = (struct key_entry_key*)e->key;
|
|
if(dname_subdomain_c(k->name, inf->name)) {
|
|
struct key_entry_data* d = (struct key_entry_data*)e->data;
|
|
if(d->ttl > inf->expired) {
|
|
d->ttl = inf->expired;
|
|
inf->num_keys++;
|
|
}
|
|
}
|
|
}
|
|
|
|
/** remove all rrsets and keys from zone from cache */
|
|
static void
|
|
do_flush_zone(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
uint8_t* nm;
|
|
int nmlabs;
|
|
size_t nmlen;
|
|
struct del_info inf;
|
|
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
|
|
return;
|
|
/* delete all RRs and key entries from zone */
|
|
/* what we do is to set them all expired */
|
|
inf.worker = worker;
|
|
inf.name = nm;
|
|
inf.len = nmlen;
|
|
inf.labs = nmlabs;
|
|
inf.expired = *worker->env.now;
|
|
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
|
inf.num_rrsets = 0;
|
|
inf.num_msgs = 0;
|
|
inf.num_keys = 0;
|
|
slabhash_traverse(&worker->env.rrset_cache->table, 1,
|
|
&zone_del_rrset, &inf);
|
|
|
|
slabhash_traverse(worker->env.msg_cache, 1, &zone_del_msg, &inf);
|
|
|
|
/* and validator cache */
|
|
if(worker->env.key_cache) {
|
|
slabhash_traverse(worker->env.key_cache->slab, 1,
|
|
&zone_del_kcache, &inf);
|
|
}
|
|
|
|
free(nm);
|
|
|
|
(void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
|
|
"and %lu key entries\n", (unsigned long)inf.num_rrsets,
|
|
(unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
|
|
}
|
|
|
|
/** callback to delete bogus rrsets */
|
|
static void
|
|
bogus_del_rrset(struct lruhash_entry* e, void* arg)
|
|
{
|
|
/* entry is locked */
|
|
struct del_info* inf = (struct del_info*)arg;
|
|
struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
|
|
if(d->security == sec_status_bogus) {
|
|
d->ttl = inf->expired;
|
|
inf->num_rrsets++;
|
|
}
|
|
}
|
|
|
|
/** callback to delete bogus messages */
|
|
static void
|
|
bogus_del_msg(struct lruhash_entry* e, void* arg)
|
|
{
|
|
/* entry is locked */
|
|
struct del_info* inf = (struct del_info*)arg;
|
|
struct reply_info* d = (struct reply_info*)e->data;
|
|
if(d->security == sec_status_bogus) {
|
|
d->ttl = inf->expired;
|
|
inf->num_msgs++;
|
|
}
|
|
}
|
|
|
|
/** callback to delete bogus keys */
|
|
static void
|
|
bogus_del_kcache(struct lruhash_entry* e, void* arg)
|
|
{
|
|
/* entry is locked */
|
|
struct del_info* inf = (struct del_info*)arg;
|
|
struct key_entry_data* d = (struct key_entry_data*)e->data;
|
|
if(d->isbad) {
|
|
d->ttl = inf->expired;
|
|
inf->num_keys++;
|
|
}
|
|
}
|
|
|
|
/** remove all bogus rrsets, msgs and keys from cache */
|
|
static void
|
|
do_flush_bogus(SSL* ssl, struct worker* worker)
|
|
{
|
|
struct del_info inf;
|
|
/* what we do is to set them all expired */
|
|
inf.worker = worker;
|
|
inf.expired = *worker->env.now;
|
|
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
|
inf.num_rrsets = 0;
|
|
inf.num_msgs = 0;
|
|
inf.num_keys = 0;
|
|
slabhash_traverse(&worker->env.rrset_cache->table, 1,
|
|
&bogus_del_rrset, &inf);
|
|
|
|
slabhash_traverse(worker->env.msg_cache, 1, &bogus_del_msg, &inf);
|
|
|
|
/* and validator cache */
|
|
if(worker->env.key_cache) {
|
|
slabhash_traverse(worker->env.key_cache->slab, 1,
|
|
&bogus_del_kcache, &inf);
|
|
}
|
|
|
|
(void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
|
|
"and %lu key entries\n", (unsigned long)inf.num_rrsets,
|
|
(unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
|
|
}
|
|
|
|
/** callback to delete negative and servfail rrsets */
|
|
static void
|
|
negative_del_rrset(struct lruhash_entry* e, void* arg)
|
|
{
|
|
/* entry is locked */
|
|
struct del_info* inf = (struct del_info*)arg;
|
|
struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key;
|
|
struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
|
|
/* delete the parentside negative cache rrsets,
|
|
* these are namerserver rrsets that failed lookup, rdata empty */
|
|
if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 &&
|
|
d->rrsig_count == 0 && d->rr_len[0] == 0) {
|
|
d->ttl = inf->expired;
|
|
inf->num_rrsets++;
|
|
}
|
|
}
|
|
|
|
/** callback to delete negative and servfail messages */
|
|
static void
|
|
negative_del_msg(struct lruhash_entry* e, void* arg)
|
|
{
|
|
/* entry is locked */
|
|
struct del_info* inf = (struct del_info*)arg;
|
|
struct reply_info* d = (struct reply_info*)e->data;
|
|
/* rcode not NOERROR: NXDOMAIN, SERVFAIL, ..: an nxdomain or error
|
|
* or NOERROR rcode with ANCOUNT==0: a NODATA answer */
|
|
if(FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) {
|
|
d->ttl = inf->expired;
|
|
inf->num_msgs++;
|
|
}
|
|
}
|
|
|
|
/** callback to delete negative key entries */
|
|
static void
|
|
negative_del_kcache(struct lruhash_entry* e, void* arg)
|
|
{
|
|
/* entry is locked */
|
|
struct del_info* inf = (struct del_info*)arg;
|
|
struct key_entry_data* d = (struct key_entry_data*)e->data;
|
|
/* could be bad because of lookup failure on the DS, DNSKEY, which
|
|
* was nxdomain or servfail, and thus a result of negative lookups */
|
|
if(d->isbad) {
|
|
d->ttl = inf->expired;
|
|
inf->num_keys++;
|
|
}
|
|
}
|
|
|
|
/** remove all negative(NODATA,NXDOMAIN), and servfail messages from cache */
|
|
static void
|
|
do_flush_negative(SSL* ssl, struct worker* worker)
|
|
{
|
|
struct del_info inf;
|
|
/* what we do is to set them all expired */
|
|
inf.worker = worker;
|
|
inf.expired = *worker->env.now;
|
|
inf.expired -= 3; /* handle 3 seconds skew between threads */
|
|
inf.num_rrsets = 0;
|
|
inf.num_msgs = 0;
|
|
inf.num_keys = 0;
|
|
slabhash_traverse(&worker->env.rrset_cache->table, 1,
|
|
&negative_del_rrset, &inf);
|
|
|
|
slabhash_traverse(worker->env.msg_cache, 1, &negative_del_msg, &inf);
|
|
|
|
/* and validator cache */
|
|
if(worker->env.key_cache) {
|
|
slabhash_traverse(worker->env.key_cache->slab, 1,
|
|
&negative_del_kcache, &inf);
|
|
}
|
|
|
|
(void)ssl_printf(ssl, "ok removed %lu rrsets, %lu messages "
|
|
"and %lu key entries\n", (unsigned long)inf.num_rrsets,
|
|
(unsigned long)inf.num_msgs, (unsigned long)inf.num_keys);
|
|
}
|
|
|
|
/** remove name rrset from cache */
|
|
static void
|
|
do_flush_name(SSL* ssl, struct worker* w, char* arg)
|
|
{
|
|
uint8_t* nm;
|
|
int nmlabs;
|
|
size_t nmlen;
|
|
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
|
|
return;
|
|
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_A, LDNS_RR_CLASS_IN);
|
|
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_AAAA, LDNS_RR_CLASS_IN);
|
|
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN);
|
|
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SOA, LDNS_RR_CLASS_IN);
|
|
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_CNAME, LDNS_RR_CLASS_IN);
|
|
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_DNAME, LDNS_RR_CLASS_IN);
|
|
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_MX, LDNS_RR_CLASS_IN);
|
|
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_PTR, LDNS_RR_CLASS_IN);
|
|
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SRV, LDNS_RR_CLASS_IN);
|
|
do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NAPTR, LDNS_RR_CLASS_IN);
|
|
|
|
free(nm);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** printout a delegation point info */
|
|
static int
|
|
ssl_print_name_dp(SSL* ssl, const char* str, uint8_t* nm, uint16_t dclass,
|
|
struct delegpt* dp)
|
|
{
|
|
char buf[257];
|
|
struct delegpt_ns* ns;
|
|
struct delegpt_addr* a;
|
|
int f = 0;
|
|
if(str) { /* print header for forward, stub */
|
|
char* c = sldns_wire2str_class(dclass);
|
|
dname_str(nm, buf);
|
|
if(!ssl_printf(ssl, "%s %s %s ", buf, (c?c:"CLASS??"), str)) {
|
|
free(c);
|
|
return 0;
|
|
}
|
|
free(c);
|
|
}
|
|
for(ns = dp->nslist; ns; ns = ns->next) {
|
|
dname_str(ns->name, buf);
|
|
if(!ssl_printf(ssl, "%s%s", (f?" ":""), buf))
|
|
return 0;
|
|
f = 1;
|
|
}
|
|
for(a = dp->target_list; a; a = a->next_target) {
|
|
addr_to_str(&a->addr, a->addrlen, buf, sizeof(buf));
|
|
if(!ssl_printf(ssl, "%s%s", (f?" ":""), buf))
|
|
return 0;
|
|
f = 1;
|
|
}
|
|
return ssl_printf(ssl, "\n");
|
|
}
|
|
|
|
|
|
/** print root forwards */
|
|
static int
|
|
print_root_fwds(SSL* ssl, struct iter_forwards* fwds, uint8_t* root)
|
|
{
|
|
struct delegpt* dp;
|
|
dp = forwards_lookup(fwds, root, LDNS_RR_CLASS_IN);
|
|
if(!dp)
|
|
return ssl_printf(ssl, "off (using root hints)\n");
|
|
/* if dp is returned it must be the root */
|
|
log_assert(query_dname_compare(dp->name, root)==0);
|
|
return ssl_print_name_dp(ssl, NULL, root, LDNS_RR_CLASS_IN, dp);
|
|
}
|
|
|
|
/** parse args into delegpt */
|
|
static struct delegpt*
|
|
parse_delegpt(SSL* ssl, char* args, uint8_t* nm, int allow_names)
|
|
{
|
|
/* parse args and add in */
|
|
char* p = args;
|
|
char* todo;
|
|
struct delegpt* dp = delegpt_create_mlc(nm);
|
|
struct sockaddr_storage addr;
|
|
socklen_t addrlen;
|
|
if(!dp) {
|
|
(void)ssl_printf(ssl, "error out of memory\n");
|
|
return NULL;
|
|
}
|
|
while(p) {
|
|
todo = p;
|
|
p = strchr(p, ' '); /* find next spot, if any */
|
|
if(p) {
|
|
*p++ = 0; /* end this spot */
|
|
p = skipwhite(p); /* position at next spot */
|
|
}
|
|
/* parse address */
|
|
if(!extstrtoaddr(todo, &addr, &addrlen)) {
|
|
if(allow_names) {
|
|
uint8_t* n = NULL;
|
|
size_t ln;
|
|
int lb;
|
|
if(!parse_arg_name(ssl, todo, &n, &ln, &lb)) {
|
|
(void)ssl_printf(ssl, "error cannot "
|
|
"parse IP address or name "
|
|
"'%s'\n", todo);
|
|
delegpt_free_mlc(dp);
|
|
return NULL;
|
|
}
|
|
if(!delegpt_add_ns_mlc(dp, n, 0)) {
|
|
(void)ssl_printf(ssl, "error out of memory\n");
|
|
free(n);
|
|
delegpt_free_mlc(dp);
|
|
return NULL;
|
|
}
|
|
free(n);
|
|
|
|
} else {
|
|
(void)ssl_printf(ssl, "error cannot parse"
|
|
" IP address '%s'\n", todo);
|
|
delegpt_free_mlc(dp);
|
|
return NULL;
|
|
}
|
|
} else {
|
|
/* add address */
|
|
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0)) {
|
|
(void)ssl_printf(ssl, "error out of memory\n");
|
|
delegpt_free_mlc(dp);
|
|
return NULL;
|
|
}
|
|
}
|
|
}
|
|
dp->has_parent_side_NS = 1;
|
|
return dp;
|
|
}
|
|
|
|
/** do the status command */
|
|
static void
|
|
do_forward(SSL* ssl, struct worker* worker, char* args)
|
|
{
|
|
struct iter_forwards* fwd = worker->env.fwds;
|
|
uint8_t* root = (uint8_t*)"\000";
|
|
if(!fwd) {
|
|
(void)ssl_printf(ssl, "error: structure not allocated\n");
|
|
return;
|
|
}
|
|
if(args == NULL || args[0] == 0) {
|
|
(void)print_root_fwds(ssl, fwd, root);
|
|
return;
|
|
}
|
|
/* set root forwards for this thread. since we are in remote control
|
|
* the actual mesh is not running, so we can freely edit it. */
|
|
/* delete all the existing queries first */
|
|
mesh_delete_all(worker->env.mesh);
|
|
if(strcmp(args, "off") == 0) {
|
|
forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, root);
|
|
} else {
|
|
struct delegpt* dp;
|
|
if(!(dp = parse_delegpt(ssl, args, root, 0)))
|
|
return;
|
|
if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
|
|
(void)ssl_printf(ssl, "error out of memory\n");
|
|
return;
|
|
}
|
|
}
|
|
send_ok(ssl);
|
|
}
|
|
|
|
static int
|
|
parse_fs_args(SSL* ssl, char* args, uint8_t** nm, struct delegpt** dp,
|
|
int* insecure, int* prime)
|
|
{
|
|
char* zonename;
|
|
char* rest;
|
|
size_t nmlen;
|
|
int nmlabs;
|
|
/* parse all -x args */
|
|
while(args[0] == '+') {
|
|
if(!find_arg2(ssl, args, &rest))
|
|
return 0;
|
|
while(*(++args) != 0) {
|
|
if(*args == 'i' && insecure)
|
|
*insecure = 1;
|
|
else if(*args == 'p' && prime)
|
|
*prime = 1;
|
|
else {
|
|
(void)ssl_printf(ssl, "error: unknown option %s\n", args);
|
|
return 0;
|
|
}
|
|
}
|
|
args = rest;
|
|
}
|
|
/* parse name */
|
|
if(dp) {
|
|
if(!find_arg2(ssl, args, &rest))
|
|
return 0;
|
|
zonename = args;
|
|
args = rest;
|
|
} else zonename = args;
|
|
if(!parse_arg_name(ssl, zonename, nm, &nmlen, &nmlabs))
|
|
return 0;
|
|
|
|
/* parse dp */
|
|
if(dp) {
|
|
if(!(*dp = parse_delegpt(ssl, args, *nm, 1))) {
|
|
free(*nm);
|
|
return 0;
|
|
}
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
/** do the forward_add command */
|
|
static void
|
|
do_forward_add(SSL* ssl, struct worker* worker, char* args)
|
|
{
|
|
struct iter_forwards* fwd = worker->env.fwds;
|
|
int insecure = 0;
|
|
uint8_t* nm = NULL;
|
|
struct delegpt* dp = NULL;
|
|
if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL))
|
|
return;
|
|
if(insecure && worker->env.anchors) {
|
|
if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
|
|
nm)) {
|
|
(void)ssl_printf(ssl, "error out of memory\n");
|
|
delegpt_free_mlc(dp);
|
|
free(nm);
|
|
return;
|
|
}
|
|
}
|
|
if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) {
|
|
(void)ssl_printf(ssl, "error out of memory\n");
|
|
free(nm);
|
|
return;
|
|
}
|
|
free(nm);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** do the forward_remove command */
|
|
static void
|
|
do_forward_remove(SSL* ssl, struct worker* worker, char* args)
|
|
{
|
|
struct iter_forwards* fwd = worker->env.fwds;
|
|
int insecure = 0;
|
|
uint8_t* nm = NULL;
|
|
if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
|
|
return;
|
|
if(insecure && worker->env.anchors)
|
|
anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
|
|
nm);
|
|
forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, nm);
|
|
free(nm);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** do the stub_add command */
|
|
static void
|
|
do_stub_add(SSL* ssl, struct worker* worker, char* args)
|
|
{
|
|
struct iter_forwards* fwd = worker->env.fwds;
|
|
int insecure = 0, prime = 0;
|
|
uint8_t* nm = NULL;
|
|
struct delegpt* dp = NULL;
|
|
if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime))
|
|
return;
|
|
if(insecure && worker->env.anchors) {
|
|
if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
|
|
nm)) {
|
|
(void)ssl_printf(ssl, "error out of memory\n");
|
|
delegpt_free_mlc(dp);
|
|
free(nm);
|
|
return;
|
|
}
|
|
}
|
|
if(!forwards_add_stub_hole(fwd, LDNS_RR_CLASS_IN, nm)) {
|
|
if(insecure && worker->env.anchors)
|
|
anchors_delete_insecure(worker->env.anchors,
|
|
LDNS_RR_CLASS_IN, nm);
|
|
(void)ssl_printf(ssl, "error out of memory\n");
|
|
delegpt_free_mlc(dp);
|
|
free(nm);
|
|
return;
|
|
}
|
|
if(!hints_add_stub(worker->env.hints, LDNS_RR_CLASS_IN, dp, !prime)) {
|
|
(void)ssl_printf(ssl, "error out of memory\n");
|
|
forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm);
|
|
if(insecure && worker->env.anchors)
|
|
anchors_delete_insecure(worker->env.anchors,
|
|
LDNS_RR_CLASS_IN, nm);
|
|
free(nm);
|
|
return;
|
|
}
|
|
free(nm);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** do the stub_remove command */
|
|
static void
|
|
do_stub_remove(SSL* ssl, struct worker* worker, char* args)
|
|
{
|
|
struct iter_forwards* fwd = worker->env.fwds;
|
|
int insecure = 0;
|
|
uint8_t* nm = NULL;
|
|
if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
|
|
return;
|
|
if(insecure && worker->env.anchors)
|
|
anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
|
|
nm);
|
|
forwards_delete_stub_hole(fwd, LDNS_RR_CLASS_IN, nm);
|
|
hints_delete_stub(worker->env.hints, LDNS_RR_CLASS_IN, nm);
|
|
free(nm);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** do the insecure_add command */
|
|
static void
|
|
do_insecure_add(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
size_t nmlen;
|
|
int nmlabs;
|
|
uint8_t* nm = NULL;
|
|
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
|
|
return;
|
|
if(worker->env.anchors) {
|
|
if(!anchors_add_insecure(worker->env.anchors,
|
|
LDNS_RR_CLASS_IN, nm)) {
|
|
(void)ssl_printf(ssl, "error out of memory\n");
|
|
free(nm);
|
|
return;
|
|
}
|
|
}
|
|
free(nm);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/** do the insecure_remove command */
|
|
static void
|
|
do_insecure_remove(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
size_t nmlen;
|
|
int nmlabs;
|
|
uint8_t* nm = NULL;
|
|
if(!parse_arg_name(ssl, arg, &nm, &nmlen, &nmlabs))
|
|
return;
|
|
if(worker->env.anchors)
|
|
anchors_delete_insecure(worker->env.anchors,
|
|
LDNS_RR_CLASS_IN, nm);
|
|
free(nm);
|
|
send_ok(ssl);
|
|
}
|
|
|
|
static void
|
|
do_insecure_list(SSL* ssl, struct worker* worker)
|
|
{
|
|
char buf[257];
|
|
struct trust_anchor* a;
|
|
if(worker->env.anchors) {
|
|
RBTREE_FOR(a, struct trust_anchor*, worker->env.anchors->tree) {
|
|
if(a->numDS == 0 && a->numDNSKEY == 0) {
|
|
dname_str(a->name, buf);
|
|
ssl_printf(ssl, "%s\n", buf);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/** do the status command */
|
|
static void
|
|
do_status(SSL* ssl, struct worker* worker)
|
|
{
|
|
int i;
|
|
time_t uptime;
|
|
if(!ssl_printf(ssl, "version: %s\n", PACKAGE_VERSION))
|
|
return;
|
|
if(!ssl_printf(ssl, "verbosity: %d\n", verbosity))
|
|
return;
|
|
if(!ssl_printf(ssl, "threads: %d\n", worker->daemon->num))
|
|
return;
|
|
if(!ssl_printf(ssl, "modules: %d [", worker->daemon->mods.num))
|
|
return;
|
|
for(i=0; i<worker->daemon->mods.num; i++) {
|
|
if(!ssl_printf(ssl, " %s", worker->daemon->mods.mod[i]->name))
|
|
return;
|
|
}
|
|
if(!ssl_printf(ssl, " ]\n"))
|
|
return;
|
|
uptime = (time_t)time(NULL) - (time_t)worker->daemon->time_boot.tv_sec;
|
|
if(!ssl_printf(ssl, "uptime: " ARG_LL "d seconds\n", (long long)uptime))
|
|
return;
|
|
if(!ssl_printf(ssl, "options:%s%s\n" ,
|
|
(worker->daemon->reuseport?" reuseport":""),
|
|
(worker->daemon->rc->accept_list?" control(ssl)":"")))
|
|
return;
|
|
if(!ssl_printf(ssl, "unbound (pid %d) is running...\n",
|
|
(int)getpid()))
|
|
return;
|
|
}
|
|
|
|
/** get age for the mesh state */
|
|
static void
|
|
get_mesh_age(struct mesh_state* m, char* buf, size_t len,
|
|
struct module_env* env)
|
|
{
|
|
if(m->reply_list) {
|
|
struct timeval d;
|
|
struct mesh_reply* r = m->reply_list;
|
|
/* last reply is the oldest */
|
|
while(r && r->next)
|
|
r = r->next;
|
|
timeval_subtract(&d, env->now_tv, &r->start_time);
|
|
snprintf(buf, len, ARG_LL "d.%6.6d",
|
|
(long long)d.tv_sec, (int)d.tv_usec);
|
|
} else {
|
|
snprintf(buf, len, "-");
|
|
}
|
|
}
|
|
|
|
/** get status of a mesh state */
|
|
static void
|
|
get_mesh_status(struct mesh_area* mesh, struct mesh_state* m,
|
|
char* buf, size_t len)
|
|
{
|
|
enum module_ext_state s = m->s.ext_state[m->s.curmod];
|
|
const char *modname = mesh->mods.mod[m->s.curmod]->name;
|
|
size_t l;
|
|
if(strcmp(modname, "iterator") == 0 && s == module_wait_reply &&
|
|
m->s.minfo[m->s.curmod]) {
|
|
/* break into iterator to find out who its waiting for */
|
|
struct iter_qstate* qstate = (struct iter_qstate*)
|
|
m->s.minfo[m->s.curmod];
|
|
struct outbound_list* ol = &qstate->outlist;
|
|
struct outbound_entry* e;
|
|
snprintf(buf, len, "%s wait for", modname);
|
|
l = strlen(buf);
|
|
buf += l; len -= l;
|
|
if(ol->first == NULL)
|
|
snprintf(buf, len, " (empty_list)");
|
|
for(e = ol->first; e; e = e->next) {
|
|
snprintf(buf, len, " ");
|
|
l = strlen(buf);
|
|
buf += l; len -= l;
|
|
addr_to_str(&e->qsent->addr, e->qsent->addrlen,
|
|
buf, len);
|
|
l = strlen(buf);
|
|
buf += l; len -= l;
|
|
}
|
|
} else if(s == module_wait_subquery) {
|
|
/* look in subs from mesh state to see what */
|
|
char nm[257];
|
|
struct mesh_state_ref* sub;
|
|
snprintf(buf, len, "%s wants", modname);
|
|
l = strlen(buf);
|
|
buf += l; len -= l;
|
|
if(m->sub_set.count == 0)
|
|
snprintf(buf, len, " (empty_list)");
|
|
RBTREE_FOR(sub, struct mesh_state_ref*, &m->sub_set) {
|
|
char* t = sldns_wire2str_type(sub->s->s.qinfo.qtype);
|
|
char* c = sldns_wire2str_class(sub->s->s.qinfo.qclass);
|
|
dname_str(sub->s->s.qinfo.qname, nm);
|
|
snprintf(buf, len, " %s %s %s", (t?t:"TYPE??"),
|
|
(c?c:"CLASS??"), nm);
|
|
l = strlen(buf);
|
|
buf += l; len -= l;
|
|
free(t);
|
|
free(c);
|
|
}
|
|
} else {
|
|
snprintf(buf, len, "%s is %s", modname, strextstate(s));
|
|
}
|
|
}
|
|
|
|
/** do the dump_requestlist command */
|
|
static void
|
|
do_dump_requestlist(SSL* ssl, struct worker* worker)
|
|
{
|
|
struct mesh_area* mesh;
|
|
struct mesh_state* m;
|
|
int num = 0;
|
|
char buf[257];
|
|
char timebuf[32];
|
|
char statbuf[10240];
|
|
if(!ssl_printf(ssl, "thread #%d\n", worker->thread_num))
|
|
return;
|
|
if(!ssl_printf(ssl, "# type cl name seconds module status\n"))
|
|
return;
|
|
/* show worker mesh contents */
|
|
mesh = worker->env.mesh;
|
|
if(!mesh) return;
|
|
RBTREE_FOR(m, struct mesh_state*, &mesh->all) {
|
|
char* t = sldns_wire2str_type(m->s.qinfo.qtype);
|
|
char* c = sldns_wire2str_class(m->s.qinfo.qclass);
|
|
dname_str(m->s.qinfo.qname, buf);
|
|
get_mesh_age(m, timebuf, sizeof(timebuf), &worker->env);
|
|
get_mesh_status(mesh, m, statbuf, sizeof(statbuf));
|
|
if(!ssl_printf(ssl, "%3d %4s %2s %s %s %s\n",
|
|
num, (t?t:"TYPE??"), (c?c:"CLASS??"), buf, timebuf,
|
|
statbuf)) {
|
|
free(t);
|
|
free(c);
|
|
return;
|
|
}
|
|
num++;
|
|
free(t);
|
|
free(c);
|
|
}
|
|
}
|
|
|
|
/** structure for argument data for dump infra host */
|
|
struct infra_arg {
|
|
/** the infra cache */
|
|
struct infra_cache* infra;
|
|
/** the SSL connection */
|
|
SSL* ssl;
|
|
/** the time now */
|
|
time_t now;
|
|
/** ssl failure? stop writing and skip the rest. If the tcp
|
|
* connection is broken, and writes fail, we then stop writing. */
|
|
int ssl_failed;
|
|
};
|
|
|
|
/** callback for every host element in the infra cache */
|
|
static void
|
|
dump_infra_host(struct lruhash_entry* e, void* arg)
|
|
{
|
|
struct infra_arg* a = (struct infra_arg*)arg;
|
|
struct infra_key* k = (struct infra_key*)e->key;
|
|
struct infra_data* d = (struct infra_data*)e->data;
|
|
char ip_str[1024];
|
|
char name[257];
|
|
if(a->ssl_failed)
|
|
return;
|
|
addr_to_str(&k->addr, k->addrlen, ip_str, sizeof(ip_str));
|
|
dname_str(k->zonename, name);
|
|
/* skip expired stuff (only backed off) */
|
|
if(d->ttl < a->now) {
|
|
if(d->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT) {
|
|
if(!ssl_printf(a->ssl, "%s %s expired rto %d\n", ip_str,
|
|
name, d->rtt.rto)) {
|
|
a->ssl_failed = 1;
|
|
return;
|
|
}
|
|
}
|
|
return;
|
|
}
|
|
if(!ssl_printf(a->ssl, "%s %s ttl %lu ping %d var %d rtt %d rto %d "
|
|
"tA %d tAAAA %d tother %d "
|
|
"ednsknown %d edns %d delay %d lame dnssec %d rec %d A %d "
|
|
"other %d\n", ip_str, name, (unsigned long)(d->ttl - a->now),
|
|
d->rtt.srtt, d->rtt.rttvar, rtt_notimeout(&d->rtt), d->rtt.rto,
|
|
d->timeout_A, d->timeout_AAAA, d->timeout_other,
|
|
(int)d->edns_lame_known, (int)d->edns_version,
|
|
(int)(a->now<d->probedelay?(d->probedelay - a->now):0),
|
|
(int)d->isdnsseclame, (int)d->rec_lame, (int)d->lame_type_A,
|
|
(int)d->lame_other)) {
|
|
a->ssl_failed = 1;
|
|
return;
|
|
}
|
|
}
|
|
|
|
/** do the dump_infra command */
|
|
static void
|
|
do_dump_infra(SSL* ssl, struct worker* worker)
|
|
{
|
|
struct infra_arg arg;
|
|
arg.infra = worker->env.infra_cache;
|
|
arg.ssl = ssl;
|
|
arg.now = *worker->env.now;
|
|
arg.ssl_failed = 0;
|
|
slabhash_traverse(arg.infra->hosts, 0, &dump_infra_host, (void*)&arg);
|
|
}
|
|
|
|
/** do the log_reopen command */
|
|
static void
|
|
do_log_reopen(SSL* ssl, struct worker* worker)
|
|
{
|
|
struct config_file* cfg = worker->env.cfg;
|
|
send_ok(ssl);
|
|
log_init(cfg->logfile, cfg->use_syslog, cfg->chrootdir);
|
|
}
|
|
|
|
/** do the set_option command */
|
|
static void
|
|
do_set_option(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
char* arg2;
|
|
if(!find_arg2(ssl, arg, &arg2))
|
|
return;
|
|
if(!config_set_option(worker->env.cfg, arg, arg2)) {
|
|
(void)ssl_printf(ssl, "error setting option\n");
|
|
return;
|
|
}
|
|
/* effectuate some arguments */
|
|
if(strcmp(arg, "val-override-date:") == 0) {
|
|
int m = modstack_find(&worker->env.mesh->mods, "validator");
|
|
struct val_env* val_env = NULL;
|
|
if(m != -1) val_env = (struct val_env*)worker->env.modinfo[m];
|
|
if(val_env)
|
|
val_env->date_override = worker->env.cfg->val_date_override;
|
|
}
|
|
send_ok(ssl);
|
|
}
|
|
|
|
/* routine to printout option values over SSL */
|
|
void remote_get_opt_ssl(char* line, void* arg)
|
|
{
|
|
SSL* ssl = (SSL*)arg;
|
|
(void)ssl_printf(ssl, "%s\n", line);
|
|
}
|
|
|
|
/** do the get_option command */
|
|
static void
|
|
do_get_option(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
int r;
|
|
r = config_get_option(worker->env.cfg, arg, remote_get_opt_ssl, ssl);
|
|
if(!r) {
|
|
(void)ssl_printf(ssl, "error unknown option\n");
|
|
return;
|
|
}
|
|
}
|
|
|
|
/** do the list_forwards command */
|
|
static void
|
|
do_list_forwards(SSL* ssl, struct worker* worker)
|
|
{
|
|
/* since its a per-worker structure no locks needed */
|
|
struct iter_forwards* fwds = worker->env.fwds;
|
|
struct iter_forward_zone* z;
|
|
struct trust_anchor* a;
|
|
int insecure;
|
|
RBTREE_FOR(z, struct iter_forward_zone*, fwds->tree) {
|
|
if(!z->dp) continue; /* skip empty marker for stub */
|
|
|
|
/* see if it is insecure */
|
|
insecure = 0;
|
|
if(worker->env.anchors &&
|
|
(a=anchor_find(worker->env.anchors, z->name,
|
|
z->namelabs, z->namelen, z->dclass))) {
|
|
if(!a->keylist && !a->numDS && !a->numDNSKEY)
|
|
insecure = 1;
|
|
lock_basic_unlock(&a->lock);
|
|
}
|
|
|
|
if(!ssl_print_name_dp(ssl, (insecure?"forward +i":"forward"),
|
|
z->name, z->dclass, z->dp))
|
|
return;
|
|
}
|
|
}
|
|
|
|
/** do the list_stubs command */
|
|
static void
|
|
do_list_stubs(SSL* ssl, struct worker* worker)
|
|
{
|
|
struct iter_hints_stub* z;
|
|
struct trust_anchor* a;
|
|
int insecure;
|
|
char str[32];
|
|
RBTREE_FOR(z, struct iter_hints_stub*, &worker->env.hints->tree) {
|
|
|
|
/* see if it is insecure */
|
|
insecure = 0;
|
|
if(worker->env.anchors &&
|
|
(a=anchor_find(worker->env.anchors, z->node.name,
|
|
z->node.labs, z->node.len, z->node.dclass))) {
|
|
if(!a->keylist && !a->numDS && !a->numDNSKEY)
|
|
insecure = 1;
|
|
lock_basic_unlock(&a->lock);
|
|
}
|
|
|
|
snprintf(str, sizeof(str), "stub %sprime%s",
|
|
(z->noprime?"no":""), (insecure?" +i":""));
|
|
if(!ssl_print_name_dp(ssl, str, z->node.name,
|
|
z->node.dclass, z->dp))
|
|
return;
|
|
}
|
|
}
|
|
|
|
/** do the list_local_zones command */
|
|
static void
|
|
do_list_local_zones(SSL* ssl, struct local_zones* zones)
|
|
{
|
|
struct local_zone* z;
|
|
char buf[257];
|
|
lock_rw_rdlock(&zones->lock);
|
|
RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
|
|
lock_rw_rdlock(&z->lock);
|
|
dname_str(z->name, buf);
|
|
if(!ssl_printf(ssl, "%s %s\n", buf,
|
|
local_zone_type2str(z->type))) {
|
|
/* failure to print */
|
|
lock_rw_unlock(&z->lock);
|
|
lock_rw_unlock(&zones->lock);
|
|
return;
|
|
}
|
|
lock_rw_unlock(&z->lock);
|
|
}
|
|
lock_rw_unlock(&zones->lock);
|
|
}
|
|
|
|
/** do the list_local_data command */
|
|
static void
|
|
do_list_local_data(SSL* ssl, struct worker* worker, struct local_zones* zones)
|
|
{
|
|
struct local_zone* z;
|
|
struct local_data* d;
|
|
struct local_rrset* p;
|
|
char* s = (char*)sldns_buffer_begin(worker->env.scratch_buffer);
|
|
size_t slen = sldns_buffer_capacity(worker->env.scratch_buffer);
|
|
lock_rw_rdlock(&zones->lock);
|
|
RBTREE_FOR(z, struct local_zone*, &zones->ztree) {
|
|
lock_rw_rdlock(&z->lock);
|
|
RBTREE_FOR(d, struct local_data*, &z->data) {
|
|
for(p = d->rrsets; p; p = p->next) {
|
|
struct packed_rrset_data* d =
|
|
(struct packed_rrset_data*)p->rrset->entry.data;
|
|
size_t i;
|
|
for(i=0; i<d->count + d->rrsig_count; i++) {
|
|
if(!packed_rr_to_string(p->rrset, i,
|
|
0, s, slen)) {
|
|
if(!ssl_printf(ssl, "BADRR\n")) {
|
|
lock_rw_unlock(&z->lock);
|
|
lock_rw_unlock(&zones->lock);
|
|
return;
|
|
}
|
|
}
|
|
if(!ssl_printf(ssl, "%s\n", s)) {
|
|
lock_rw_unlock(&z->lock);
|
|
lock_rw_unlock(&zones->lock);
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
lock_rw_unlock(&z->lock);
|
|
}
|
|
lock_rw_unlock(&zones->lock);
|
|
}
|
|
|
|
/** do the view_list_local_zones command */
|
|
static void
|
|
do_view_list_local_zones(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
struct view* v = views_find_view(worker->daemon->views,
|
|
arg, 0 /* get read lock*/);
|
|
if(!v) {
|
|
ssl_printf(ssl,"no view with name: %s\n", arg);
|
|
return;
|
|
}
|
|
if(v->local_zones) {
|
|
do_list_local_zones(ssl, v->local_zones);
|
|
}
|
|
lock_rw_unlock(&v->lock);
|
|
}
|
|
|
|
/** do the view_list_local_data command */
|
|
static void
|
|
do_view_list_local_data(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
struct view* v = views_find_view(worker->daemon->views,
|
|
arg, 0 /* get read lock*/);
|
|
if(!v) {
|
|
ssl_printf(ssl,"no view with name: %s\n", arg);
|
|
return;
|
|
}
|
|
if(v->local_zones) {
|
|
do_list_local_data(ssl, worker, v->local_zones);
|
|
}
|
|
lock_rw_unlock(&v->lock);
|
|
}
|
|
|
|
/** struct for user arg ratelimit list */
|
|
struct ratelimit_list_arg {
|
|
/** the infra cache */
|
|
struct infra_cache* infra;
|
|
/** the SSL to print to */
|
|
SSL* ssl;
|
|
/** all or only ratelimited */
|
|
int all;
|
|
/** current time */
|
|
time_t now;
|
|
};
|
|
|
|
#define ip_ratelimit_list_arg ratelimit_list_arg
|
|
|
|
/** list items in the ratelimit table */
|
|
static void
|
|
rate_list(struct lruhash_entry* e, void* arg)
|
|
{
|
|
struct ratelimit_list_arg* a = (struct ratelimit_list_arg*)arg;
|
|
struct rate_key* k = (struct rate_key*)e->key;
|
|
struct rate_data* d = (struct rate_data*)e->data;
|
|
char buf[257];
|
|
int lim = infra_find_ratelimit(a->infra, k->name, k->namelen);
|
|
int max = infra_rate_max(d, a->now);
|
|
if(a->all == 0) {
|
|
if(max < lim)
|
|
return;
|
|
}
|
|
dname_str(k->name, buf);
|
|
ssl_printf(a->ssl, "%s %d limit %d\n", buf, max, lim);
|
|
}
|
|
|
|
/** list items in the ip_ratelimit table */
|
|
static void
|
|
ip_rate_list(struct lruhash_entry* e, void* arg)
|
|
{
|
|
char ip[128];
|
|
struct ip_ratelimit_list_arg* a = (struct ip_ratelimit_list_arg*)arg;
|
|
struct ip_rate_key* k = (struct ip_rate_key*)e->key;
|
|
struct ip_rate_data* d = (struct ip_rate_data*)e->data;
|
|
int lim = infra_ip_ratelimit;
|
|
int max = infra_rate_max(d, a->now);
|
|
if(a->all == 0) {
|
|
if(max < lim)
|
|
return;
|
|
}
|
|
addr_to_str(&k->addr, k->addrlen, ip, sizeof(ip));
|
|
ssl_printf(a->ssl, "%s %d limit %d\n", ip, max, lim);
|
|
}
|
|
|
|
/** do the ratelimit_list command */
|
|
static void
|
|
do_ratelimit_list(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
struct ratelimit_list_arg a;
|
|
a.all = 0;
|
|
a.infra = worker->env.infra_cache;
|
|
a.now = *worker->env.now;
|
|
a.ssl = ssl;
|
|
arg = skipwhite(arg);
|
|
if(strcmp(arg, "+a") == 0)
|
|
a.all = 1;
|
|
if(a.infra->domain_rates==NULL ||
|
|
(a.all == 0 && infra_dp_ratelimit == 0))
|
|
return;
|
|
slabhash_traverse(a.infra->domain_rates, 0, rate_list, &a);
|
|
}
|
|
|
|
/** do the ip_ratelimit_list command */
|
|
static void
|
|
do_ip_ratelimit_list(SSL* ssl, struct worker* worker, char* arg)
|
|
{
|
|
struct ip_ratelimit_list_arg a;
|
|
a.all = 0;
|
|
a.infra = worker->env.infra_cache;
|
|
a.now = *worker->env.now;
|
|
a.ssl = ssl;
|
|
arg = skipwhite(arg);
|
|
if(strcmp(arg, "+a") == 0)
|
|
a.all = 1;
|
|
if(a.infra->client_ip_rates==NULL ||
|
|
(a.all == 0 && infra_ip_ratelimit == 0))
|
|
return;
|
|
slabhash_traverse(a.infra->client_ip_rates, 0, ip_rate_list, &a);
|
|
}
|
|
|
|
/** tell other processes to execute the command */
|
|
static void
|
|
distribute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd)
|
|
{
|
|
int i;
|
|
if(!cmd || !ssl)
|
|
return;
|
|
/* skip i=0 which is me */
|
|
for(i=1; i<rc->worker->daemon->num; i++) {
|
|
worker_send_cmd(rc->worker->daemon->workers[i],
|
|
worker_cmd_remote);
|
|
if(!tube_write_msg(rc->worker->daemon->workers[i]->cmd,
|
|
(uint8_t*)cmd, strlen(cmd)+1, 0)) {
|
|
ssl_printf(ssl, "error could not distribute cmd\n");
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
|
|
/** check for name with end-of-string, space or tab after it */
|
|
static int
|
|
cmdcmp(char* p, const char* cmd, size_t len)
|
|
{
|
|
return strncmp(p,cmd,len)==0 && (p[len]==0||p[len]==' '||p[len]=='\t');
|
|
}
|
|
|
|
/** execute a remote control command */
|
|
static void
|
|
execute_cmd(struct daemon_remote* rc, SSL* ssl, char* cmd,
|
|
struct worker* worker)
|
|
{
|
|
char* p = skipwhite(cmd);
|
|
/* compare command */
|
|
if(cmdcmp(p, "stop", 4)) {
|
|
do_stop(ssl, rc);
|
|
return;
|
|
} else if(cmdcmp(p, "reload", 6)) {
|
|
do_reload(ssl, rc);
|
|
return;
|
|
} else if(cmdcmp(p, "stats_noreset", 13)) {
|
|
do_stats(ssl, rc, 0);
|
|
return;
|
|
} else if(cmdcmp(p, "stats", 5)) {
|
|
do_stats(ssl, rc, 1);
|
|
return;
|
|
} else if(cmdcmp(p, "status", 6)) {
|
|
do_status(ssl, worker);
|
|
return;
|
|
} else if(cmdcmp(p, "dump_cache", 10)) {
|
|
(void)dump_cache(ssl, worker);
|
|
return;
|
|
} else if(cmdcmp(p, "load_cache", 10)) {
|
|
if(load_cache(ssl, worker)) send_ok(ssl);
|
|
return;
|
|
} else if(cmdcmp(p, "list_forwards", 13)) {
|
|
do_list_forwards(ssl, worker);
|
|
return;
|
|
} else if(cmdcmp(p, "list_stubs", 10)) {
|
|
do_list_stubs(ssl, worker);
|
|
return;
|
|
} else if(cmdcmp(p, "list_insecure", 13)) {
|
|
do_insecure_list(ssl, worker);
|
|
return;
|
|
} else if(cmdcmp(p, "list_local_zones", 16)) {
|
|
do_list_local_zones(ssl, worker->daemon->local_zones);
|
|
return;
|
|
} else if(cmdcmp(p, "list_local_data", 15)) {
|
|
do_list_local_data(ssl, worker, worker->daemon->local_zones);
|
|
return;
|
|
} else if(cmdcmp(p, "view_list_local_zones", 21)) {
|
|
do_view_list_local_zones(ssl, worker, skipwhite(p+21));
|
|
return;
|
|
} else if(cmdcmp(p, "view_list_local_data", 20)) {
|
|
do_view_list_local_data(ssl, worker, skipwhite(p+20));
|
|
return;
|
|
} else if(cmdcmp(p, "ratelimit_list", 14)) {
|
|
do_ratelimit_list(ssl, worker, p+14);
|
|
return;
|
|
} else if(cmdcmp(p, "ip_ratelimit_list", 17)) {
|
|
do_ip_ratelimit_list(ssl, worker, p+17);
|
|
return;
|
|
} else if(cmdcmp(p, "stub_add", 8)) {
|
|
/* must always distribute this cmd */
|
|
if(rc) distribute_cmd(rc, ssl, cmd);
|
|
do_stub_add(ssl, worker, skipwhite(p+8));
|
|
return;
|
|
} else if(cmdcmp(p, "stub_remove", 11)) {
|
|
/* must always distribute this cmd */
|
|
if(rc) distribute_cmd(rc, ssl, cmd);
|
|
do_stub_remove(ssl, worker, skipwhite(p+11));
|
|
return;
|
|
} else if(cmdcmp(p, "forward_add", 11)) {
|
|
/* must always distribute this cmd */
|
|
if(rc) distribute_cmd(rc, ssl, cmd);
|
|
do_forward_add(ssl, worker, skipwhite(p+11));
|
|
return;
|
|
} else if(cmdcmp(p, "forward_remove", 14)) {
|
|
/* must always distribute this cmd */
|
|
if(rc) distribute_cmd(rc, ssl, cmd);
|
|
do_forward_remove(ssl, worker, skipwhite(p+14));
|
|
return;
|
|
} else if(cmdcmp(p, "insecure_add", 12)) {
|
|
/* must always distribute this cmd */
|
|
if(rc) distribute_cmd(rc, ssl, cmd);
|
|
do_insecure_add(ssl, worker, skipwhite(p+12));
|
|
return;
|
|
} else if(cmdcmp(p, "insecure_remove", 15)) {
|
|
/* must always distribute this cmd */
|
|
if(rc) distribute_cmd(rc, ssl, cmd);
|
|
do_insecure_remove(ssl, worker, skipwhite(p+15));
|
|
return;
|
|
} else if(cmdcmp(p, "forward", 7)) {
|
|
/* must always distribute this cmd */
|
|
if(rc) distribute_cmd(rc, ssl, cmd);
|
|
do_forward(ssl, worker, skipwhite(p+7));
|
|
return;
|
|
} else if(cmdcmp(p, "flush_stats", 11)) {
|
|
/* must always distribute this cmd */
|
|
if(rc) distribute_cmd(rc, ssl, cmd);
|
|
do_flush_stats(ssl, worker);
|
|
return;
|
|
} else if(cmdcmp(p, "flush_requestlist", 17)) {
|
|
/* must always distribute this cmd */
|
|
if(rc) distribute_cmd(rc, ssl, cmd);
|
|
do_flush_requestlist(ssl, worker);
|
|
return;
|
|
} else if(cmdcmp(p, "lookup", 6)) {
|
|
do_lookup(ssl, worker, skipwhite(p+6));
|
|
return;
|
|
}
|
|
|
|
#ifdef THREADS_DISABLED
|
|
/* other processes must execute the command as well */
|
|
/* commands that should not be distributed, returned above. */
|
|
if(rc) { /* only if this thread is the master (rc) thread */
|
|
/* done before the code below, which may split the string */
|
|
distribute_cmd(rc, ssl, cmd);
|
|
}
|
|
#endif
|
|
if(cmdcmp(p, "verbosity", 9)) {
|
|
do_verbosity(ssl, skipwhite(p+9));
|
|
} else if(cmdcmp(p, "local_zone_remove", 17)) {
|
|
do_zone_remove(ssl, worker->daemon->local_zones, skipwhite(p+17));
|
|
} else if(cmdcmp(p, "local_zones_remove", 18)) {
|
|
do_zones_remove(ssl, worker->daemon->local_zones);
|
|
} else if(cmdcmp(p, "local_zone", 10)) {
|
|
do_zone_add(ssl, worker->daemon->local_zones, skipwhite(p+10));
|
|
} else if(cmdcmp(p, "local_zones", 11)) {
|
|
do_zones_add(ssl, worker->daemon->local_zones);
|
|
} else if(cmdcmp(p, "local_data_remove", 17)) {
|
|
do_data_remove(ssl, worker->daemon->local_zones, skipwhite(p+17));
|
|
} else if(cmdcmp(p, "local_datas_remove", 18)) {
|
|
do_datas_remove(ssl, worker->daemon->local_zones);
|
|
} else if(cmdcmp(p, "local_data", 10)) {
|
|
do_data_add(ssl, worker->daemon->local_zones, skipwhite(p+10));
|
|
} else if(cmdcmp(p, "local_datas", 11)) {
|
|
do_datas_add(ssl, worker->daemon->local_zones);
|
|
} else if(cmdcmp(p, "view_local_zone_remove", 22)) {
|
|
do_view_zone_remove(ssl, worker, skipwhite(p+22));
|
|
} else if(cmdcmp(p, "view_local_zone", 15)) {
|
|
do_view_zone_add(ssl, worker, skipwhite(p+15));
|
|
} else if(cmdcmp(p, "view_local_data_remove", 22)) {
|
|
do_view_data_remove(ssl, worker, skipwhite(p+22));
|
|
} else if(cmdcmp(p, "view_local_data", 15)) {
|
|
do_view_data_add(ssl, worker, skipwhite(p+15));
|
|
} else if(cmdcmp(p, "flush_zone", 10)) {
|
|
do_flush_zone(ssl, worker, skipwhite(p+10));
|
|
} else if(cmdcmp(p, "flush_type", 10)) {
|
|
do_flush_type(ssl, worker, skipwhite(p+10));
|
|
} else if(cmdcmp(p, "flush_infra", 11)) {
|
|
do_flush_infra(ssl, worker, skipwhite(p+11));
|
|
} else if(cmdcmp(p, "flush", 5)) {
|
|
do_flush_name(ssl, worker, skipwhite(p+5));
|
|
} else if(cmdcmp(p, "dump_requestlist", 16)) {
|
|
do_dump_requestlist(ssl, worker);
|
|
} else if(cmdcmp(p, "dump_infra", 10)) {
|
|
do_dump_infra(ssl, worker);
|
|
} else if(cmdcmp(p, "log_reopen", 10)) {
|
|
do_log_reopen(ssl, worker);
|
|
} else if(cmdcmp(p, "set_option", 10)) {
|
|
do_set_option(ssl, worker, skipwhite(p+10));
|
|
} else if(cmdcmp(p, "get_option", 10)) {
|
|
do_get_option(ssl, worker, skipwhite(p+10));
|
|
} else if(cmdcmp(p, "flush_bogus", 11)) {
|
|
do_flush_bogus(ssl, worker);
|
|
} else if(cmdcmp(p, "flush_negative", 14)) {
|
|
do_flush_negative(ssl, worker);
|
|
} else {
|
|
(void)ssl_printf(ssl, "error unknown command '%s'\n", p);
|
|
}
|
|
}
|
|
|
|
void
|
|
daemon_remote_exec(struct worker* worker)
|
|
{
|
|
/* read the cmd string */
|
|
uint8_t* msg = NULL;
|
|
uint32_t len = 0;
|
|
if(!tube_read_msg(worker->cmd, &msg, &len, 0)) {
|
|
log_err("daemon_remote_exec: tube_read_msg failed");
|
|
return;
|
|
}
|
|
verbose(VERB_ALGO, "remote exec distributed: %s", (char*)msg);
|
|
execute_cmd(NULL, NULL, (char*)msg, worker);
|
|
free(msg);
|
|
}
|
|
|
|
/** handle remote control request */
|
|
static void
|
|
handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
|
|
{
|
|
int r;
|
|
char pre[10];
|
|
char magic[7];
|
|
char buf[1024];
|
|
#ifdef USE_WINSOCK
|
|
/* makes it possible to set the socket blocking again. */
|
|
/* basically removes it from winsock_event ... */
|
|
WSAEventSelect(s->c->fd, NULL, 0);
|
|
#endif
|
|
fd_set_block(s->c->fd);
|
|
|
|
/* try to read magic UBCT[version]_space_ string */
|
|
ERR_clear_error();
|
|
if((r=SSL_read(ssl, magic, (int)sizeof(magic)-1)) <= 0) {
|
|
if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN)
|
|
return;
|
|
log_crypto_err("could not SSL_read");
|
|
return;
|
|
}
|
|
magic[6] = 0;
|
|
if( r != 6 || strncmp(magic, "UBCT", 4) != 0) {
|
|
verbose(VERB_QUERY, "control connection has bad magic string");
|
|
/* probably wrong tool connected, ignore it completely */
|
|
return;
|
|
}
|
|
|
|
/* read the command line */
|
|
if(!ssl_read_line(ssl, buf, sizeof(buf))) {
|
|
return;
|
|
}
|
|
snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION);
|
|
if(strcmp(magic, pre) != 0) {
|
|
verbose(VERB_QUERY, "control connection had bad "
|
|
"version %s, cmd: %s", magic, buf);
|
|
ssl_printf(ssl, "error version mismatch\n");
|
|
return;
|
|
}
|
|
verbose(VERB_DETAIL, "control cmd: %s", buf);
|
|
|
|
/* figure out what to do */
|
|
execute_cmd(rc, ssl, buf, rc->worker);
|
|
}
|
|
|
|
int remote_control_callback(struct comm_point* c, void* arg, int err,
|
|
struct comm_reply* ATTR_UNUSED(rep))
|
|
{
|
|
struct rc_state* s = (struct rc_state*)arg;
|
|
struct daemon_remote* rc = s->rc;
|
|
int r;
|
|
if(err != NETEVENT_NOERROR) {
|
|
if(err==NETEVENT_TIMEOUT)
|
|
log_err("remote control timed out");
|
|
clean_point(rc, s);
|
|
return 0;
|
|
}
|
|
/* (continue to) setup the SSL connection */
|
|
ERR_clear_error();
|
|
r = SSL_do_handshake(s->ssl);
|
|
if(r != 1) {
|
|
int r2 = SSL_get_error(s->ssl, r);
|
|
if(r2 == SSL_ERROR_WANT_READ) {
|
|
if(s->shake_state == rc_hs_read) {
|
|
/* try again later */
|
|
return 0;
|
|
}
|
|
s->shake_state = rc_hs_read;
|
|
comm_point_listen_for_rw(c, 1, 0);
|
|
return 0;
|
|
} else if(r2 == SSL_ERROR_WANT_WRITE) {
|
|
if(s->shake_state == rc_hs_write) {
|
|
/* try again later */
|
|
return 0;
|
|
}
|
|
s->shake_state = rc_hs_write;
|
|
comm_point_listen_for_rw(c, 0, 1);
|
|
return 0;
|
|
} else {
|
|
if(r == 0)
|
|
log_err("remote control connection closed prematurely");
|
|
log_addr(1, "failed connection from",
|
|
&s->c->repinfo.addr, s->c->repinfo.addrlen);
|
|
log_crypto_err("remote control failed ssl");
|
|
clean_point(rc, s);
|
|
return 0;
|
|
}
|
|
}
|
|
s->shake_state = rc_none;
|
|
|
|
/* once handshake has completed, check authentication */
|
|
if (!rc->use_cert) {
|
|
verbose(VERB_ALGO, "unauthenticated remote control connection");
|
|
} else if(SSL_get_verify_result(s->ssl) == X509_V_OK) {
|
|
X509* x = SSL_get_peer_certificate(s->ssl);
|
|
if(!x) {
|
|
verbose(VERB_DETAIL, "remote control connection "
|
|
"provided no client certificate");
|
|
clean_point(rc, s);
|
|
return 0;
|
|
}
|
|
verbose(VERB_ALGO, "remote control connection authenticated");
|
|
X509_free(x);
|
|
} else {
|
|
verbose(VERB_DETAIL, "remote control connection failed to "
|
|
"authenticate with client certificate");
|
|
clean_point(rc, s);
|
|
return 0;
|
|
}
|
|
|
|
/* if OK start to actually handle the request */
|
|
handle_req(rc, s, s->ssl);
|
|
|
|
verbose(VERB_ALGO, "remote control operation completed");
|
|
clean_point(rc, s);
|
|
return 0;
|
|
}
|